From eeb0b0768f21be40f2f5d998e48db886696cfbef Mon Sep 17 00:00:00 2001
From: Rui Tome <rtome@bitwarden.com>
Date: Mon, 26 May 2025 11:22:18 +0100
Subject: [PATCH] Skip policy check if two-step login is enabled for the user

---
 .../OrganizationUsers/AcceptOrgUserCommand.cs             | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/AcceptOrgUserCommand.cs b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/AcceptOrgUserCommand.cs
index 835d1768a2..8776634ae2 100644
--- a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/AcceptOrgUserCommand.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/AcceptOrgUserCommand.cs
@@ -235,10 +235,16 @@ public class AcceptOrgUserCommand : IAcceptOrgUserCommand
     {
         if (_featureService.IsEnabled(FeatureFlagKeys.PolicyRequirements))
         {
+            if (await _twoFactorIsEnabledQuery.TwoFactorIsEnabledAsync(user))
+            {
+                // If the user has two-step login enabled, we skip checking the 2FA policy
+                return;
+            }
+
             var twoFactorPolicyRequirement = await _policyRequirementQuery.GetAsync<RequireTwoFactorPolicyRequirement>(user.Id);
             var twoFactorRequiredForOrganization = twoFactorPolicyRequirement.IsTwoFactorRequiredForOrganization(organizationId);
 
-            if (twoFactorRequiredForOrganization && !await _twoFactorIsEnabledQuery.TwoFactorIsEnabledAsync(user))
+            if (twoFactorRequiredForOrganization)
             {
                 throw new BadRequestException("You cannot join this organization until you enable two-step login on your user account.");
             }