put back in the request for now.

bitwarden_license/src/Scim/Models/ScimUserRequestModel.cs

@@ -32,7 +32,8 @@ public class ScimUserRequestModel : BaseScimUserModel
     public InviteOrganizationUsersRequest ToRequest(
         ScimProviderType scimProvider,
         InviteOrganization inviteOrganization,
-        DateTimeOffset performedAt)
+        DateTimeOffset performedAt,
+        bool hasSecretsManagerStandalone)
     {
         var email = EmailForInvite(scimProvider);
 
@@ -47,7 +48,7 @@ public class ScimUserRequestModel : BaseScimUserModel
                 new Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Models.OrganizationUserInvite(
                         email: email,
                         externalId: ExternalIdForInvite(),
-                        accessSecretsManager: false // TODO do something about this
+                        accessSecretsManager: hasSecretsManagerStandalone
                     )
             ],
             inviteOrganization: inviteOrganization,

bitwarden_license/src/Scim/Users/PostUserCommand.cs

@@ -63,10 +63,24 @@ public class PostUserCommand(
             return null;
         }
 
+        var hasSecretsManagerStandalone = await paymentService.HasSecretsManagerStandalone(organization);
+
         var request = model.ToRequest(
             scimProvider: scimProvider,
             inviteOrganization: new InviteOrganization(organization, plan),
-            performedAt: timeProvider.GetUtcNow());
+            performedAt: timeProvider.GetUtcNow(),
+            hasSecretsManagerStandalone);
+
+        var orgUsers =
+            await organizationUserRepository.GetManyDetailsByOrganizationAsync(
+                request.InviteOrganization.OrganizationId);
+
+        if (orgUsers.Any(existingUser =>
+                request.Invites.First().Email.Equals(existingUser.Email, StringComparison.OrdinalIgnoreCase) ||
+                request.Invites.First().ExternalId.Equals(existingUser.ExternalId, StringComparison.OrdinalIgnoreCase)))
+        {
+            throw new ConflictException("User already exists.");
+        }
 
         var result = await inviteOrganizationUsersCommand.InviteScimOrganizationUserAsync(request);
 

src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/InviteOrganizationUsersCommand.cs

@@ -1,6 +1,5 @@
 using Bit.Core.AdminConsole.Entities;
 using Bit.Core.AdminConsole.Interfaces;
-using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Errors;
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Models;
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Validation;
 using Bit.Core.AdminConsole.Shared.Validation;
@@ -44,20 +43,6 @@ public class InviteOrganizationUsersCommand(IEventService eventService,
 
     public async Task<CommandResult<ScimInviteOrganizationUsersResponse>> InviteScimOrganizationUserAsync(InviteOrganizationUsersRequest request)
     {
-        var hasSecretsManagerStandalone = await paymentService.HasSecretsManagerStandalone(request.InviteOrganization);
-
-        // Maybe move this all back up
-        var orgUsers = await organizationUserRepository.GetManyDetailsByOrganizationAsync(request.InviteOrganization.OrganizationId);
-
-        if (orgUsers.Any(existingUser =>
-                request.Invites.First().Email.Equals(existingUser.Email, StringComparison.InvariantCultureIgnoreCase) ||
-                request.Invites.First().ExternalId.Equals(existingUser.ExternalId, StringComparison.InvariantCultureIgnoreCase)))
-        {
-            return new Failure<ScimInviteOrganizationUsersResponse>(
-                new UserAlreadyExistsError(new ScimInviteOrganizationUsersResponse(request)));
-        }
-        // end of move
-
         var result = await InviteOrganizationUsersAsync(request);
 
         switch (result)