chore(flags): [PM-28337] Remove account recovery permission feature flag

* Removed pm-24425-send-2fa-failed-email * Remove feature flag * Linting * Removed tests and cleaned up comment.
[PM-25949] ExternalCallback Integration tests for SSO Project (#6809 )
2026-01-12 06:53:23 +00:00 · 2026-01-11 12:04:10 -05:00 · 2026-01-10 09:02:50 -05:00 · 2026-01-09 16:34:06 +01:00 · 2026-01-09 10:04:52 -05:00 · 2026-01-09 09:17:45 +01:00
858 changed files with 102414 additions and 12385 deletions
--- a/.claude/prompts/review-code.md
+++ b/.claude/prompts/review-code.md
@ -1,25 +0,0 @@
-Please review this pull request with a focus on:
-
- Code quality and best practices
- Potential bugs or issues
- Security implications
- Performance considerations
-
-Note: The PR branch is already checked out in the current working directory.
-
-Provide a comprehensive review including:
-
- Summary of changes since last review
- Critical issues found (be thorough)
- Suggested improvements (be thorough)
- Good practices observed (be concise - list only the most notable items without elaboration)
- Action items for the author
- Leverage collapsible <details> sections where appropriate for lengthy explanations or code snippets to enhance human readability
-
-When reviewing subsequent commits:
-
- Track status of previously identified issues (fixed/unfixed/reopened)
- Identify NEW problems introduced since last review
- Note if fixes introduced new issues
-
-IMPORTANT: Be comprehensive about issues and improvements. For good practices, be brief - just note what was done well without explaining why or praising excessively.
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@ -53,6 +53,11 @@ src/Core/IdentityServer @bitwarden/team-auth-dev

 # Dirt (Data Insights & Reporting) team
 **/Dirt @bitwarden/team-data-insights-and-reporting-dev
+src/Events @bitwarden/team-data-insights-and-reporting-dev
+src/EventsProcessor @bitwarden/team-data-insights-and-reporting-dev
+test/Events.IntegrationTest @bitwarden/team-data-insights-and-reporting-dev
+test/Events.Test @bitwarden/team-data-insights-and-reporting-dev
+test/EventsProcessor.Test @bitwarden/team-data-insights-and-reporting-dev

 # Vault team
 **/Vault @bitwarden/team-vault-dev
@ -63,8 +68,6 @@ src/Core/IdentityServer @bitwarden/team-auth-dev
 bitwarden_license/src/Scim @bitwarden/team-admin-console-dev
 bitwarden_license/src/test/Scim.IntegrationTest @bitwarden/team-admin-console-dev
 bitwarden_license/src/test/Scim.ScimTest @bitwarden/team-admin-console-dev
-src/Events @bitwarden/team-admin-console-dev
-src/EventsProcessor @bitwarden/team-admin-console-dev

 # Billing team
 **/*billing* @bitwarden/team-billing-dev
--- a/.github/ISSUE_TEMPLATE/bw-lite.yml
+++ b/.github/ISSUE_TEMPLATE/bw-lite.yml
@ -70,15 +70,6 @@ body:
        mariadb:10
        # Postgres Example
        postgres:14
-  - type: textarea
-    id: epic-label
-    attributes:
-      label: Issue-Link
-      description: Link to our pinned issue, tracking all Bitwarden lite
-      value: |
-        https://github.com/bitwarden/server/issues/2480
-    validations:
-      required: true
  - type: checkboxes
    id: issue-tracking-info
    attributes:
--- a/.github/renovate.json5
+++ b/.github/renovate.json5
@ -10,41 +10,7 @@
    "nuget",
  ],
  packageRules: [
-    {
-      groupName: "cargo minor",
-      matchManagers: ["cargo"],
-      matchUpdateTypes: ["minor"],
-    },
-    {
-      groupName: "dockerfile minor",
-      matchManagers: ["dockerfile"],
-      matchUpdateTypes: ["minor"],
-    },
-    {
-      groupName: "docker-compose minor",
-      matchManagers: ["docker-compose"],
-      matchUpdateTypes: ["minor"],
-    },
-    {
-      groupName: "github-action minor",
-      matchManagers: ["github-actions"],
-      matchUpdateTypes: ["minor"],
-      addLabels: ["hold"],
-    },
-    {
-      // For any Microsoft.Extensions.* and Microsoft.AspNetCore.* packages, we want to create PRs for patch updates.
-      // This overrides the default that ignores patch updates for nuget dependencies.
-      matchPackageNames: [
-          "/^Microsoft\\.Extensions\\./",
-          "/^Microsoft\\.AspNetCore\\./",
-      ],
-      matchUpdateTypes: ["patch"],
-      dependencyDashboardApproval: false,
-    },
-    {
-      matchPackageNames: ["https://github.com/bitwarden/sdk-internal.git"],
-      groupName: "sdk-internal",
-    },
+    // ==================== Team Ownership Rules ====================
    {
      matchManagers: ["dockerfile", "docker-compose"],
      commitMessagePrefix: "[deps] BRE:",
@ -67,6 +33,7 @@
        "Fido2.AspNet",
        "Duende.IdentityServer",
        "Microsoft.AspNetCore.Authentication.JwtBearer",
+        "Microsoft.Extensions.Caching.Cosmos",
        "Microsoft.Extensions.Identity.Stores",
        "Otp.NET",
        "Sustainsys.Saml2.AspNetCore2",
@ -100,11 +67,6 @@
      commitMessagePrefix: "[deps] Billing:",
      reviewers: ["team:team-billing-dev"],
    },
-    {
-      matchPackageNames: ["/^Microsoft\\.EntityFrameworkCore\\./", "/^dotnet-ef/"],
-      groupName: "EntityFrameworkCore",
-      description: "Group EntityFrameworkCore to exclude them from the dotnet monorepo preset",
-    },
    {
      matchPackageNames: [
        "Dapper",
@ -152,7 +114,6 @@
        "Microsoft.Extensions.DependencyInjection",
        "Microsoft.Extensions.Logging",
        "Microsoft.Extensions.Logging.Console",
-        "Microsoft.Extensions.Caching.Cosmos",
        "Microsoft.Extensions.Caching.SqlServer",
        "Microsoft.Extensions.Caching.StackExchangeRedis",
        "Quartz",
@ -161,6 +122,12 @@
      commitMessagePrefix: "[deps] Platform:",
      reviewers: ["team:team-platform-dev"],
    },
+    {
+      matchUpdateTypes: ["lockFileMaintenance"],
+      description: "Platform owns lock file maintenance",
+      commitMessagePrefix: "[deps] Platform:",
+      reviewers: ["team:team-platform-dev"],
+    },
    {
      matchPackageNames: [
        "AutoMapper.Extensions.Microsoft.DependencyInjection",
@ -190,6 +157,73 @@
      commitMessagePrefix: "[deps] Vault:",
      reviewers: ["team:team-vault-dev"],
    },
+
+    // ==================== Grouping Rules ====================
+    // These come after any specific team assignment rules to ensure
+    // that grouping is not overridden by subsequent rule definitions.
+    {
+      groupName: "cargo minor",
+      matchManagers: ["cargo"],
+      matchUpdateTypes: ["minor"],
+    },
+    {
+      groupName: "dockerfile minor",
+      matchManagers: ["dockerfile"],
+      matchUpdateTypes: ["minor"],
+    },
+    {
+      groupName: "docker-compose minor",
+      matchManagers: ["docker-compose"],
+      matchUpdateTypes: ["minor"],
+    },
+    {
+      groupName: "github-action minor",
+      matchManagers: ["github-actions"],
+      matchUpdateTypes: ["minor"],
+      addLabels: ["hold"],
+    },
+    {
+      matchPackageNames: ["/^Microsoft\\.EntityFrameworkCore\\./", "/^dotnet-ef/"],
+      groupName: "EntityFrameworkCore",
+      description: "Group EntityFrameworkCore to exclude them from the dotnet monorepo preset",
+    },
+    {
+      matchPackageNames: ["https://github.com/bitwarden/sdk-internal.git"],
+      groupName: "sdk-internal",
+      dependencyDashboardApproval: true
+    },
+
+    // ==================== Dashboard Rules ====================
+    {
+      // For any Microsoft.Extensions.* and Microsoft.AspNetCore.* packages, we want to create PRs for patch updates.
+      // This overrides the default that ignores patch updates for nuget dependencies.
+      matchPackageNames: [
+          "/^Microsoft\\.Extensions\\./",
+          "/^Microsoft\\.AspNetCore\\./",
+      ],
+      matchUpdateTypes: ["patch"],
+      dependencyDashboardApproval: false,
+    },
+    {
+      // For the Platform-owned dependencies below, we have decided we will only be creating PRs
+      // for major updates, and sending minor (as well as patch, inherited from base config) to the dashboard.
+      // This rule comes AFTER grouping rules so that groups are respected while still
+      // sending minor/patch updates to the dependency dashboard for approval.
+      matchPackageNames: [
+        "AspNetCoreRateLimit",
+        "AspNetCoreRateLimit.Redis",
+        "Azure.Data.Tables",
+        "Azure.Extensions.AspNetCore.DataProtection.Blobs",
+        "Azure.Messaging.EventGrid",
+        "Azure.Messaging.ServiceBus",
+        "Azure.Storage.Blobs",
+        "Azure.Storage.Queues",
+        "LaunchDarkly.ServerSdk",
+        "Quartz",
+      ],
+      matchUpdateTypes: ["minor"],
+      dependencyDashboardApproval: true,
+    },
  ],
  ignoreDeps: ["dotnet-sdk"],
 }
--- a/.github/workflows/_move_edd_db_scripts.yml
+++ b/.github/workflows/_move_edd_db_scripts.yml
@ -38,7 +38,7 @@ jobs:
        uses: bitwarden/gh-actions/azure-logout@main

      - name: Check out branch
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          token: ${{ steps.retrieve-secrets.outputs.github-pat-bitwarden-devops-bot-repo-scope }}
          persist-credentials: false
@ -68,7 +68,7 @@ jobs:
    if: ${{ needs.setup.outputs.copy_edd_scripts == 'true' }}
    steps:
      - name: Check out repo
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          fetch-depth: 0
          persist-credentials: true
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@ -25,13 +25,13 @@ jobs:
    runs-on: ubuntu-22.04
    steps:
      - name: Check out repo
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          ref: ${{ github.event.pull_request.head.sha }}
          persist-credentials: false

      - name: Set up .NET
-        uses: actions/setup-dotnet@d4c94342e560b34958eacfc5d055d21461ed1c5d # v5.0.0
+        uses: actions/setup-dotnet@2016bd2012dba4e32de620c46fe006a3ac9f0602 # v5.0.1

      - name: Verify format
        run: dotnet format --verify-no-changes
@ -39,8 +39,7 @@ jobs:
  build-artifacts:
    name: Build Docker images
    runs-on: ubuntu-22.04
-    needs:
-      - lint
+    needs: lint
    outputs:
      has_secrets: ${{ steps.check-secrets.outputs.has_secrets }}
    permissions:
@ -102,7 +101,7 @@ jobs:
          echo "has_secrets=$has_secrets" >> "$GITHUB_OUTPUT"

      - name: Check out repo
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          ref: ${{ github.event.pull_request.head.sha }}
          persist-credentials: false
@ -120,10 +119,10 @@ jobs:
          fi

      - name: Set up .NET
-        uses: actions/setup-dotnet@d4c94342e560b34958eacfc5d055d21461ed1c5d # v5.0.0
+        uses: actions/setup-dotnet@2016bd2012dba4e32de620c46fe006a3ac9f0602 # v5.0.1

      - name: Set up Node
-        uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
+        uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
        with:
          cache: "npm"
          cache-dependency-path: "**/package-lock.json"
@ -160,7 +159,7 @@ jobs:
          ls -atlh ../../../

      - name: Upload project artifact
-        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
        if: ${{ matrix.dotnet }}
        with:
          name: ${{ matrix.project_name }}.zip
@ -169,10 +168,10 @@ jobs:

      ########## Set up Docker ##########
      - name: Set up QEMU emulators
-        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
+        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0

      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0

      ########## ACRs ##########
      - name: Log in to Azure
@ -246,7 +245,7 @@ jobs:

      - name: Install Cosign
        if: github.event_name != 'pull_request' && github.ref == 'refs/heads/main'
-        uses: sigstore/cosign-installer@3454372f43399081ed03b604cb2d021dabca52bb # v3.8.2
+        uses: sigstore/cosign-installer@7e8b541eb2e61bf99390e1afd4be13a184e9ebc5 # v3.10.1

      - name: Sign image with Cosign
        if: github.event_name != 'pull_request' && github.ref == 'refs/heads/main'
@ -264,14 +263,14 @@ jobs:

      - name: Scan Docker image
        id: container-scan
-        uses: anchore/scan-action@f6601287cdb1efc985d6b765bbf99cb4c0ac29d8 # v7.0.0
+        uses: anchore/scan-action@3c9a191a0fbab285ca6b8530b5de5a642cba332f # v7.2.2
        with:
          image: ${{ steps.image-tags.outputs.primary_tag }}
          fail-build: false
          output-format: sarif

      - name: Upload Grype results to GitHub
-        uses: github/codeql-action/upload-sarif@e12f0178983d466f2f6028f5cc7a6d786fd97f4b # v4.31.4
+        uses: github/codeql-action/upload-sarif@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9
        with:
          sarif_file: ${{ steps.container-scan.outputs.sarif }}
          sha: ${{ contains(github.event_name, 'pull_request') && github.event.pull_request.head.sha || github.sha }}
@ -289,13 +288,13 @@ jobs:
      actions: read
    steps:
      - name: Check out repo
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          ref: ${{ github.event.pull_request.head.sha }}
          persist-credentials: false

      - name: Set up .NET
-        uses: actions/setup-dotnet@d4c94342e560b34958eacfc5d055d21461ed1c5d # v5.0.0
+        uses: actions/setup-dotnet@2016bd2012dba4e32de620c46fe006a3ac9f0602 # v5.0.1

      - name: Log in to Azure
        uses: bitwarden/gh-actions/azure-login@main
@ -356,7 +355,7 @@ jobs:
        if: |
          github.event_name != 'pull_request'
          && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/rc' || github.ref == 'refs/heads/hotfix-rc')
-        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
        with:
          name: docker-stub-US.zip
          path: docker-stub-US.zip
@ -366,7 +365,7 @@ jobs:
        if: |
          github.event_name != 'pull_request'
          && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/rc' || github.ref == 'refs/heads/hotfix-rc')
-        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
        with:
          name: docker-stub-EU.zip
          path: docker-stub-EU.zip
@ -378,21 +377,21 @@ jobs:
          pwsh ./generate_openapi_files.ps1

      - name: Upload Public API Swagger artifact
-        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
        with:
          name: swagger.json
          path: api.public.json
          if-no-files-found: error

      - name: Upload Internal API Swagger artifact
-        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
        with:
          name: internal.json
          path: api.json
          if-no-files-found: error

      - name: Upload Identity Swagger artifact
-        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
        with:
          name: identity.json
          path: identity.json
@ -401,8 +400,7 @@ jobs:
  build-mssqlmigratorutility:
    name: Build MSSQL migrator utility
    runs-on: ubuntu-22.04
-    needs:
-      - lint
+    needs: lint
    defaults:
      run:
        shell: bash
@ -416,13 +414,13 @@ jobs:
          - win-x64
    steps:
      - name: Check out repo
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          ref: ${{ github.event.pull_request.head.sha }}
          persist-credentials: false

      - name: Set up .NET
-        uses: actions/setup-dotnet@d4c94342e560b34958eacfc5d055d21461ed1c5d # v5.0.0
+        uses: actions/setup-dotnet@2016bd2012dba4e32de620c46fe006a3ac9f0602 # v5.0.1

      - name: Print environment
        run: |
@ -438,7 +436,7 @@ jobs:

      - name: Upload project artifact for Windows
        if: ${{ contains(matrix.target, 'win') == true }}
-        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
        with:
          name: MsSqlMigratorUtility-${{ matrix.target }}
          path: util/MsSqlMigratorUtility/obj/build-output/publish/MsSqlMigratorUtility.exe
@ -446,20 +444,19 @@ jobs:

      - name: Upload project artifact
        if: ${{ contains(matrix.target, 'win') == false }}
-        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
        with:
          name: MsSqlMigratorUtility-${{ matrix.target }}
          path: util/MsSqlMigratorUtility/obj/build-output/publish/MsSqlMigratorUtility
          if-no-files-found: error

-  self-host-build:
-    name: Trigger self-host build
+  bitwarden-lite-build:
+    name: Trigger Bitwarden lite build
    if: |
      github.event_name != 'pull_request'
      && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/rc' || github.ref == 'refs/heads/hotfix-rc')
    runs-on: ubuntu-22.04
-    needs:
-      - build-artifacts
+    needs: build-artifacts
    permissions:
      id-token: write
    steps:
@ -481,11 +478,13 @@ jobs:
        uses: bitwarden/gh-actions/azure-logout@main

      - name: Generate GH App token
-        uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2.1.4
+        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
        id: app-token
        with:
          app-id: ${{ steps.get-kv-secrets.outputs.BW-GHAPP-ID }}
          private-key: ${{ steps.get-kv-secrets.outputs.BW-GHAPP-KEY }}
+          owner: ${{ github.repository_owner }}
+          repositories: self-host

      - name: Trigger Bitwarden lite build
        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
@ -503,11 +502,10 @@ jobs:
            });

  trigger-k8s-deploy:
-    name: Trigger k8s deploy
+    name: Trigger K8s deploy
    if: github.event_name != 'pull_request' && github.ref == 'refs/heads/main'
    runs-on: ubuntu-22.04
-    needs:
-      - build-artifacts
+    needs: build-artifacts
    permissions:
      id-token: write
    steps:
@ -529,13 +527,15 @@ jobs:
        uses: bitwarden/gh-actions/azure-logout@main

      - name: Generate GH App token
-        uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2.1.4
+        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
        id: app-token
        with:
          app-id: ${{ steps.get-kv-secrets.outputs.BW-GHAPP-ID }}
          private-key: ${{ steps.get-kv-secrets.outputs.BW-GHAPP-KEY }}
+          owner: ${{ github.repository_owner }}
+          repositories: devops

-      - name: Trigger k8s deploy
+      - name: Trigger K8s deploy
        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
        with:
          github-token: ${{ steps.app-token.outputs.token }}
@ -553,8 +553,7 @@ jobs:

  setup-ephemeral-environment:
    name: Setup Ephemeral Environment
-    needs:
-      - build-artifacts
+    needs: build-artifacts
    if: |
      needs.build-artifacts.outputs.has_secrets == 'true'
      && github.event_name == 'pull_request'
@ -577,7 +576,7 @@ jobs:
      - build-artifacts
      - upload
      - build-mssqlmigratorutility
-      - self-host-build
+      - bitwarden-lite-build
      - trigger-k8s-deploy
    permissions:
      id-token: write
--- a/.github/workflows/cleanup-after-pr.yml
+++ b/.github/workflows/cleanup-after-pr.yml
@ -1,71 +0,0 @@
-name: Container registry cleanup
-
-on:
-  pull_request:
-    types: [closed]
-
-env:
-  _AZ_REGISTRY: "bitwardenprod.azurecr.io"
-
-jobs:
-  build-docker:
-    name: Remove branch-specific Docker images
-    runs-on: ubuntu-22.04
-    permissions:
-      id-token: write
-    steps:
-      - name: Log in to Azure
-        uses: bitwarden/gh-actions/azure-login@main
-        with:
-          subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
-          tenant_id: ${{ secrets.AZURE_TENANT_ID }}
-          client_id: ${{ secrets.AZURE_CLIENT_ID }}
-
-      - name: Log in to Azure ACR
-        run: az acr login -n "$_AZ_REGISTRY" --only-show-errors
-
-      ########## Remove Docker images ##########
-      - name: Remove the Docker image from ACR
-        env:
-          REF: ${{ github.event.pull_request.head.ref }}
-          SERVICES: |
-            services:
-              - Admin
-              - Api
-              - Attachments
-              - Events
-              - EventsProcessor
-              - Icons
-              - Identity
-              - K8S-Proxy
-              - MsSql
-              - Nginx
-              - Notifications
-              - Server
-              - Setup
-              - Sso
-        run: |
-          for SERVICE in $(echo "${SERVICES}" | yq e ".services[]" - )
-          do
-            SERVICE_NAME=$(echo "$SERVICE" | awk '{print tolower($0)}')
-            IMAGE_TAG=$(echo "${REF}" | sed "s#/#-#g")  # slash safe branch name
-
-            echo "[*] Checking if remote exists: $_AZ_REGISTRY/$SERVICE_NAME:$IMAGE_TAG"
-            TAG_EXISTS=$(
-              az acr repository show-tags --name "$_AZ_REGISTRY" --repository "$SERVICE_NAME" \
-              | jq --arg TAG "$IMAGE_TAG" -e '. | any(. == $TAG)'
-            )
-
-            if [[ "$TAG_EXISTS" == "true" ]]; then
-              echo "[*] Tag exists. Removing tag"
-              az acr repository delete --name "$_AZ_REGISTRY" --image "$SERVICE_NAME:$IMAGE_TAG" --yes
-            else
-              echo "[*] Tag does not exist. No action needed"
-            fi
-          done
-
-      - name: Log out of Docker
-        run: docker logout
-
-      - name: Log out from Azure
-        uses: bitwarden/gh-actions/azure-logout@main
--- a/.github/workflows/cleanup-rc-branch.yml
+++ b/.github/workflows/cleanup-rc-branch.yml
@ -31,7 +31,7 @@ jobs:
        uses: bitwarden/gh-actions/azure-logout@main

      - name: Checkout main
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          ref: main
          token: ${{ steps.retrieve-bot-secrets.outputs.github-pat-bitwarden-devops-bot-repo-scope }}
--- a/.github/workflows/code-references.yml
+++ b/.github/workflows/code-references.yml
@ -36,7 +36,7 @@ jobs:

    steps:
      - name: Check out repository
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false

@ -59,7 +59,7 @@ jobs:

      - name: Collect
        id: collect
-        uses: launchdarkly/find-code-references@e3e9da201b87ada54eb4c550c14fb783385c5c8a # v2.13.0
+        uses: launchdarkly/find-code-references@89a7d362d1d4b3725fe0fe0ccd0dc69e3bdcba58 # v2.14.0
        with:
          accessToken: ${{ steps.get-kv-secrets.outputs.LD-ACCESS-TOKEN }}
          projKey: default
--- a/.github/workflows/load-test.yml
+++ b/.github/workflows/load-test.yml
@ -87,7 +87,7 @@ jobs:
            datadog/agent:7-full@sha256:7ea933dec3b8baa8c19683b1c3f6f801dbf3291f748d9ed59234accdaac4e479

      - name: Check out repo
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false

@ -95,7 +95,7 @@ jobs:
        uses: grafana/setup-k6-action@ffe7d7290dfa715e48c2ccc924d068444c94bde2 # v1.1.0

      - name: Run k6 tests
-        uses: grafana/run-k6-action@c6b79182b9b666aa4f630f4a6be9158ead62536e # v1.2.0
+        uses: grafana/run-k6-action@a15e2072ede004e8d46141e33d7f7dad8ad08d9d # v1.3.1
        continue-on-error: false
        env:
          K6_OTEL_METRIC_PREFIX: k6_
--- a/.github/workflows/protect-files.yml
+++ b/.github/workflows/protect-files.yml
@ -31,7 +31,7 @@ jobs:
            label: "DB-migrations-changed"
    steps:
      - name: Check out repo
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          fetch-depth: 2
          persist-credentials: false
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@ -91,7 +91,6 @@ jobs:
          - project_name: Nginx
          - project_name: Notifications
          - project_name: Scim
-          - project_name: Server
          - project_name: Setup
          - project_name: Sso
    steps:
@ -106,7 +105,7 @@ jobs:
          echo "Github Release Option: $RELEASE_OPTION"

      - name: Check out repo
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          fetch-depth: 0
          persist-credentials: false
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@ -39,7 +39,7 @@ jobs:
          fi

      - name: Check out repo
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          fetch-depth: 0
          persist-credentials: false
@ -89,7 +89,7 @@ jobs:

      - name: Create release
        if: ${{ inputs.release_type != 'Dry Run' }}
-        uses: ncipollo/release-action@440c8c1cb0ed28b9f43e4d1d670870f059653174 # v1.16.0
+        uses: ncipollo/release-action@b7eabc95ff50cbeeedec83973935c8f306dfcd0b # v1.20.0
        with:
          artifacts: "docker-stub-US.zip,
            docker-stub-EU.zip,
--- a/.github/workflows/repository-management.yml
+++ b/.github/workflows/repository-management.yml
@ -22,9 +22,7 @@ on:
        required: false
        type: string

-permissions:
-  pull-requests: write
-  contents: write
+permissions: {}

 jobs:
  setup:
@ -32,6 +30,7 @@ jobs:
    runs-on: ubuntu-24.04
    outputs:
      branch: ${{ steps.set-branch.outputs.branch }}
+    permissions: {}
    steps:
      - name: Set branch
        id: set-branch
@ -84,14 +83,15 @@ jobs:
          version: ${{ inputs.version_number_override }}

      - name: Generate GH App token
-        uses: actions/create-github-app-token@a8d616148505b5069dccd32f177bb87d7f39123b # v2.1.1
+        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
        id: app-token
        with:
          app-id: ${{ steps.get-kv-secrets.outputs.BW-GHAPP-ID }}
          private-key: ${{ steps.get-kv-secrets.outputs.BW-GHAPP-KEY }}
+          permission-contents: write

      - name: Check out branch
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          ref: main
          token: ${{ steps.app-token.outputs.token }}
@ -207,14 +207,15 @@ jobs:
        uses: bitwarden/gh-actions/azure-logout@main

      - name: Generate GH App token
-        uses: actions/create-github-app-token@a8d616148505b5069dccd32f177bb87d7f39123b # v2.1.1
+        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
        id: app-token
        with:
          app-id: ${{ steps.get-kv-secrets.outputs.BW-GHAPP-ID }}
          private-key: ${{ steps.get-kv-secrets.outputs.BW-GHAPP-KEY }}
+          permission-contents: write

      - name: Check out target ref
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          ref: ${{ inputs.target_ref }}
          token: ${{ steps.app-token.outputs.token }}
@ -240,10 +241,5 @@ jobs:
  move_edd_db_scripts:
    name: Move EDD database scripts
    needs: cut_branch
-    permissions:
-      actions: read
-      contents: write
-      id-token: write
-      pull-requests: write
+    permissions: {}
    uses: ./.github/workflows/_move_edd_db_scripts.yml
-    secrets: inherit
--- a/.github/workflows/review-code.yml
+++ b/.github/workflows/review-code.yml
@ -2,7 +2,7 @@ name: Code Review

 on:
  pull_request:
-    types: [opened, synchronize, reopened, ready_for_review]
+    types: [opened, synchronize, reopened]

 permissions: {}

--- a/.github/workflows/stale-bot.yml
+++ b/.github/workflows/stale-bot.yml
@ -15,7 +15,7 @@ jobs:
      pull-requests: write
    steps:
      - name: Check
-        uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 # v9.1.0
+        uses: actions/stale@997185467fa4f803885201cee163a9f38240193d # v10.1.1
        with:
          stale-issue-label: "needs-reply"
          stale-pr-label: "needs-changes"
--- a/.github/workflows/test-database.yml
+++ b/.github/workflows/test-database.yml
@ -44,12 +44,12 @@ jobs:
      checks: write
    steps:
      - name: Check out repo
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false

      - name: Set up .NET
-        uses: actions/setup-dotnet@d4c94342e560b34958eacfc5d055d21461ed1c5d # v5.0.0
+        uses: actions/setup-dotnet@2016bd2012dba4e32de620c46fe006a3ac9f0602 # v5.0.1

      - name: Restore tools
        run: dotnet tool restore
@ -156,7 +156,7 @@ jobs:
        run: 'docker logs "$(docker ps --quiet --filter "name=mssql")"'

      - name: Report test results
-        uses: dorny/test-reporter@890a17cecf52a379fc869ab770a71657660be727 # v2.1.0
+        uses: dorny/test-reporter@fe45e9537387dac839af0d33ba56eed8e24189e8 # v2.3.0
        if: ${{ github.event.pull_request.head.repo.full_name == github.repository && !cancelled() }}
        with:
          name: Test Results
@ -165,7 +165,7 @@ jobs:
          fail-on-error: true

      - name: Upload to codecov.io
-        uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 # v5.4.3
+        uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2

      - name: Docker Compose down
        if: always()
@ -178,12 +178,12 @@ jobs:
    runs-on: ubuntu-22.04
    steps:
      - name: Check out repo
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false

      - name: Set up .NET
-        uses: actions/setup-dotnet@d4c94342e560b34958eacfc5d055d21461ed1c5d # v5.0.0
+        uses: actions/setup-dotnet@2016bd2012dba4e32de620c46fe006a3ac9f0602 # v5.0.1

      - name: Print environment
        run: |
@ -197,7 +197,7 @@ jobs:
        shell: pwsh

      - name: Upload DACPAC
-        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
        with:
          name: sql.dacpac
          path: Sql.dacpac
@ -223,7 +223,7 @@ jobs:
        shell: pwsh

      - name: Report validation results
-        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
        with:
          name: report.xml
          path: |
@ -262,3 +262,26 @@ jobs:
        working-directory: "dev"
        run: docker compose down
        shell: pwsh
+
+  validate-migration-naming:
+    name: Validate new migration naming and order
+    runs-on: ubuntu-22.04
+
+    steps:
+      - name: Check out repo
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        with:
+          fetch-depth: 0
+          persist-credentials: false
+
+      - name: Validate new migrations for pull request
+        if: github.event_name == 'pull_request'
+        run: |
+          git fetch origin main:main
+          pwsh dev/verify_migrations.ps1 -BaseRef main
+        shell: pwsh
+
+      - name: Validate new migrations for push
+        if: github.event_name == 'push' || github.event_name == 'workflow_dispatch'
+        run: pwsh dev/verify_migrations.ps1 -BaseRef HEAD~1
+        shell: pwsh
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@ -27,20 +27,20 @@ jobs:

    steps:
      - name: Check out repo
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          persist-credentials: false

      - name: Set up .NET
-        uses: actions/setup-dotnet@d4c94342e560b34958eacfc5d055d21461ed1c5d # v5.0.0
+        uses: actions/setup-dotnet@2016bd2012dba4e32de620c46fe006a3ac9f0602 # v5.0.1

      - name: Install rust
-        uses: dtolnay/rust-toolchain@b3b07ba8b418998c39fb20f53e8b695cdcc8de1b # stable
+        uses: dtolnay/rust-toolchain@f7ccc83f9ed1e5b9c81d8a67d7ad1a747e22a561 # stable
        with:
          toolchain: stable

      - name: Cache cargo registry
-        uses: Swatinem/rust-cache@f0deed1e0edfc6a9be95417288c0e1099b1eeec3 # v2.7.7
+        uses: Swatinem/rust-cache@779680da715d629ac1d338a641029a2f4372abb5 # v2.8.2

      - name: Print environment
        run: |
@ -59,7 +59,7 @@ jobs:
        run: dotnet test ./bitwarden_license/test --configuration Debug --logger "trx;LogFileName=bw-test-results.trx" /p:CoverletOutputFormatter="cobertura" --collect:"XPlat Code Coverage"

      - name: Report test results
-        uses: dorny/test-reporter@890a17cecf52a379fc869ab770a71657660be727 # v2.1.0
+        uses: dorny/test-reporter@fe45e9537387dac839af0d33ba56eed8e24189e8 # v2.3.0
        if: ${{ github.event.pull_request.head.repo.full_name == github.repository && !cancelled() }}
        with:
          name: Test Results
@ -68,4 +68,4 @@ jobs:
          fail-on-error: true

      - name: Upload to codecov.io
-        uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 # v5.4.3
+        uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2
--- a/.gitignore
+++ b/.gitignore
@ -234,6 +234,7 @@ bitwarden_license/src/Sso/Sso.zip
 /identity.json
 /api.json
 /api.public.json
+.serena/

 # Serena
 .serena/
--- a/Directory.Build.props
+++ b/Directory.Build.props
@ -3,7 +3,7 @@
  <PropertyGroup>
    <TargetFramework>net8.0</TargetFramework>

-    <Version>2025.12.0</Version>
+    <Version>2025.12.2</Version>

    <RootNamespace>Bit.$(MSBuildProjectName)</RootNamespace>
    <ImplicitUsings>enable</ImplicitUsings>
@ -16,7 +16,7 @@
  
  <PropertyGroup>
    
-    <MicrosoftNetTestSdkVersion>17.8.0</MicrosoftNetTestSdkVersion>
+    <MicrosoftNetTestSdkVersion>18.0.1</MicrosoftNetTestSdkVersion>
    
    <XUnitVersion>2.6.6</XUnitVersion>
    
--- a/README.md
+++ b/README.md
@ -58,6 +58,42 @@ Invoke-RestMethod -OutFile bitwarden.ps1 `
 .\bitwarden.ps1 -start
 ```

+## Production Container Images
+
+<details>
+<summary><b>View Current Production Image Hashes</b> (click to expand)</summary>
+<br>
+
+### US Production Cluster
+
+| Service | Image Hash |
+|---------|------------|
+| **Admin** | ![admin](https://img.shields.io/badge/dynamic/json?url=https%3A%2F%2Fraw.githubusercontent.com%2Fbitwarden%2Fserver%2Frefs%2Fheads%2Fmetadata%2Fbadges%2Fshieldsio-badge-us.json&query=%24.admin&style=flat-square&logo=docker&logoColor=white&label=&color=2496ED) |
+| **API** | ![api](https://img.shields.io/badge/dynamic/json?url=https%3A%2F%2Fraw.githubusercontent.com%2Fbitwarden%2Fserver%2Frefs%2Fheads%2Fmetadata%2Fbadges%2Fshieldsio-badge-us.json&query=%24.api&style=flat-square&logo=docker&logoColor=white&label=&color=2496ED) |
+| **Billing** | ![billing](https://img.shields.io/badge/dynamic/json?url=https%3A%2F%2Fraw.githubusercontent.com%2Fbitwarden%2Fserver%2Frefs%2Fheads%2Fmetadata%2Fbadges%2Fshieldsio-badge-us.json&query=%24.billing&style=flat-square&logo=docker&logoColor=white&label=&color=2496ED) |
+| **Events** | ![events](https://img.shields.io/badge/dynamic/json?url=https%3A%2F%2Fraw.githubusercontent.com%2Fbitwarden%2Fserver%2Frefs%2Fheads%2Fmetadata%2Fbadges%2Fshieldsio-badge-us.json&query=%24.events&style=flat-square&logo=docker&logoColor=white&label=&color=2496ED) |
+| **EventsProcessor** | ![eventsprocessor](https://img.shields.io/badge/dynamic/json?url=https%3A%2F%2Fraw.githubusercontent.com%2Fbitwarden%2Fserver%2Frefs%2Fheads%2Fmetadata%2Fbadges%2Fshieldsio-badge-us.json&query=%24.eventsprocessor&style=flat-square&logo=docker&logoColor=white&label=&color=2496ED) |
+| **Identity** | ![identity](https://img.shields.io/badge/dynamic/json?url=https%3A%2F%2Fraw.githubusercontent.com%2Fbitwarden%2Fserver%2Frefs%2Fheads%2Fmetadata%2Fbadges%2Fshieldsio-badge-us.json&query=%24.identity&style=flat-square&logo=docker&logoColor=white&label=&color=2496ED) |
+| **Notifications** | ![notifications](https://img.shields.io/badge/dynamic/json?url=https%3A%2F%2Fraw.githubusercontent.com%2Fbitwarden%2Fserver%2Frefs%2Fheads%2Fmetadata%2Fbadges%2Fshieldsio-badge-us.json&query=%24.notifications&style=flat-square&logo=docker&logoColor=white&label=&color=2496ED) |
+| **SCIM** | ![scim](https://img.shields.io/badge/dynamic/json?url=https%3A%2F%2Fraw.githubusercontent.com%2Fbitwarden%2Fserver%2Frefs%2Fheads%2Fmetadata%2Fbadges%2Fshieldsio-badge-us.json&query=%24.scim&style=flat-square&logo=docker&logoColor=white&label=&color=2496ED) |
+| **SSO** | ![sso](https://img.shields.io/badge/dynamic/json?url=https%3A%2F%2Fraw.githubusercontent.com%2Fbitwarden%2Fserver%2Frefs%2Fheads%2Fmetadata%2Fbadges%2Fshieldsio-badge-us.json&query=%24.sso&style=flat-square&logo=docker&logoColor=white&label=&color=2496ED) |
+
+### EU Production Cluster
+
+| Service | Image Hash |
+|---------|------------|
+| **Admin** | ![admin](https://img.shields.io/badge/dynamic/json?url=https%3A%2F%2Fraw.githubusercontent.com%2Fbitwarden%2Fserver%2Frefs%2Fheads%2Fmetadata%2Fbadges%2Fshieldsio-badge-eu.json&query=%24.admin&style=flat-square&logo=docker&logoColor=white&label=&color=2496ED) |
+| **API** | ![api](https://img.shields.io/badge/dynamic/json?url=https%3A%2F%2Fraw.githubusercontent.com%2Fbitwarden%2Fserver%2Frefs%2Fheads%2Fmetadata%2Fbadges%2Fshieldsio-badge-eu.json&query=%24.api&style=flat-square&logo=docker&logoColor=white&label=&color=2496ED) |
+| **Billing** | ![billing](https://img.shields.io/badge/dynamic/json?url=https%3A%2F%2Fraw.githubusercontent.com%2Fbitwarden%2Fserver%2Frefs%2Fheads%2Fmetadata%2Fbadges%2Fshieldsio-badge-eu.json&query=%24.billing&style=flat-square&logo=docker&logoColor=white&label=&color=2496ED) |
+| **Events** | ![events](https://img.shields.io/badge/dynamic/json?url=https%3A%2F%2Fraw.githubusercontent.com%2Fbitwarden%2Fserver%2Frefs%2Fheads%2Fmetadata%2Fbadges%2Fshieldsio-badge-eu.json&query=%24.events&style=flat-square&logo=docker&logoColor=white&label=&color=2496ED) |
+| **EventsProcessor** | ![eventsprocessor](https://img.shields.io/badge/dynamic/json?url=https%3A%2F%2Fraw.githubusercontent.com%2Fbitwarden%2Fserver%2Frefs%2Fheads%2Fmetadata%2Fbadges%2Fshieldsio-badge-eu.json&query=%24.eventsprocessor&style=flat-square&logo=docker&logoColor=white&label=&color=2496ED) |
+| **Identity** | ![identity](https://img.shields.io/badge/dynamic/json?url=https%3A%2F%2Fraw.githubusercontent.com%2Fbitwarden%2Fserver%2Frefs%2Fheads%2Fmetadata%2Fbadges%2Fshieldsio-badge-eu.json&query=%24.identity&style=flat-square&logo=docker&logoColor=white&label=&color=2496ED) |
+| **Notifications** | ![notifications](https://img.shields.io/badge/dynamic/json?url=https%3A%2F%2Fraw.githubusercontent.com%2Fbitwarden%2Fserver%2Frefs%2Fheads%2Fmetadata%2Fbadges%2Fshieldsio-badge-eu.json&query=%24.notifications&style=flat-square&logo=docker&logoColor=white&label=&color=2496ED) |
+| **SCIM** | ![scim](https://img.shields.io/badge/dynamic/json?url=https%3A%2F%2Fraw.githubusercontent.com%2Fbitwarden%2Fserver%2Frefs%2Fheads%2Fmetadata%2Fbadges%2Fshieldsio-badge-eu.json&query=%24.scim&style=flat-square&logo=docker&logoColor=white&label=&color=2496ED) |
+| **SSO** | ![sso](https://img.shields.io/badge/dynamic/json?url=https%3A%2F%2Fraw.githubusercontent.com%2Fbitwarden%2Fserver%2Frefs%2Fheads%2Fmetadata%2Fbadges%2Fshieldsio-badge-eu.json&query=%24.sso&style=flat-square&logo=docker&logoColor=white&label=&color=2496ED) |
+
+</details>
+
 ## We're Hiring!

 Interested in contributing in a big way? Consider joining our team! We're hiring for many positions. Please take a look at our [Careers page](https://bitwarden.com/careers/) to see what opportunities are currently open as well as what it's like to work at Bitwarden.
--- a/bitwarden-server.sln
+++ b/bitwarden-server.sln
@ -1,7 +1,7 @@

 Microsoft Visual Studio Solution File, Format Version 12.00
-# Visual Studio Version 16
-VisualStudioVersion = 16.0.29102.190
+# Visual Studio Version 17
+VisualStudioVersion = 17.14.36705.20 d17.14
 MinimumVisualStudioVersion = 10.0.40219.1
 Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "src - AGPL", "src - AGPL", "{DD5BD056-4AAE-43EF-BBD2-0B569B8DA84D}"
 EndProject
@ -11,19 +11,19 @@ Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "test", "test", "{DD5BD056-4
 EndProject
 Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Solution Items", "Solution Items", "{458155D3-BCBC-481D-B37A-40D2ED10F0A4}"
 	ProjectSection(SolutionItems) = preProject
+		.dockerignore = .dockerignore
+		.editorconfig = .editorconfig
+		.gitignore = .gitignore
+		CONTRIBUTING.md = CONTRIBUTING.md
 		Directory.Build.props = Directory.Build.props
 		global.json = global.json
-		.gitignore = .gitignore
-		README.md = README.md
-		.editorconfig = .editorconfig
-		TRADEMARK_GUIDELINES.md = TRADEMARK_GUIDELINES.md
-		SECURITY.md = SECURITY.md
-		LICENSE_FAQ.md = LICENSE_FAQ.md
-		LICENSE_BITWARDEN.txt = LICENSE_BITWARDEN.txt
-		LICENSE_AGPL.txt = LICENSE_AGPL.txt
 		LICENSE.txt = LICENSE.txt
-		CONTRIBUTING.md = CONTRIBUTING.md
-		.dockerignore = .dockerignore
+		LICENSE_AGPL.txt = LICENSE_AGPL.txt
+		LICENSE_BITWARDEN.txt = LICENSE_BITWARDEN.txt
+		LICENSE_FAQ.md = LICENSE_FAQ.md
+		README.md = README.md
+		SECURITY.md = SECURITY.md
+		TRADEMARK_GUIDELINES.md = TRADEMARK_GUIDELINES.md
 	EndProjectSection
 EndProject
 Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Core", "src\Core\Core.csproj", "{3973D21B-A692-4B60-9B70-3631C057423A}"
@ -134,10 +134,13 @@ EndProject
 Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "DbSeederUtility", "util\DbSeederUtility\DbSeederUtility.csproj", "{17A89266-260A-4A03-81AE-C0468C6EE06E}"
 EndProject
 Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "RustSdk", "util\RustSdk\RustSdk.csproj", "{D1513D90-E4F5-44A9-9121-5E46E3E4A3F7}"
+EndProject
 Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "SharedWeb.Test", "test\SharedWeb.Test\SharedWeb.Test.csproj", "{AD59537D-5259-4B7A-948F-0CF58E80B359}"
 EndProject
 Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "SSO.Test", "bitwarden_license\test\SSO.Test\SSO.Test.csproj", "{7D98784C-C253-43FB-9873-25B65C6250D6}"
 EndProject
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Sso.IntegrationTest", "bitwarden_license\test\Sso.IntegrationTest\Sso.IntegrationTest.csproj", "{FFB09376-595B-6F93-36F0-70CAE90AFECB}"
+EndProject
 Global
 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
 		Debug|Any CPU = Debug|Any CPU
@ -354,6 +357,10 @@ Global
 		{7D98784C-C253-43FB-9873-25B65C6250D6}.Debug|Any CPU.Build.0 = Debug|Any CPU
 		{7D98784C-C253-43FB-9873-25B65C6250D6}.Release|Any CPU.ActiveCfg = Release|Any CPU
 		{7D98784C-C253-43FB-9873-25B65C6250D6}.Release|Any CPU.Build.0 = Release|Any CPU
+		{FFB09376-595B-6F93-36F0-70CAE90AFECB}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{FFB09376-595B-6F93-36F0-70CAE90AFECB}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{FFB09376-595B-6F93-36F0-70CAE90AFECB}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{FFB09376-595B-6F93-36F0-70CAE90AFECB}.Release|Any CPU.Build.0 = Release|Any CPU
 	EndGlobalSection
 	GlobalSection(SolutionProperties) = preSolution
 		HideSolutionNode = FALSE
@ -411,6 +418,7 @@ Global
 		{D1513D90-E4F5-44A9-9121-5E46E3E4A3F7} = {DD5BD056-4AAE-43EF-BBD2-0B569B8DA84E}
 		{AD59537D-5259-4B7A-948F-0CF58E80B359} = {DD5BD056-4AAE-43EF-BBD2-0B569B8DA84F}
 		{7D98784C-C253-43FB-9873-25B65C6250D6} = {287CFF34-BBDB-4BC4-AF88-1E19A5A4679B}
+		{FFB09376-595B-6F93-36F0-70CAE90AFECB} = {287CFF34-BBDB-4BC4-AF88-1E19A5A4679B}
 	EndGlobalSection
 	GlobalSection(ExtensibilityGlobals) = postSolution
 		SolutionGuid = {E01CBF68-2E20-425F-9EDB-E0A6510CA92F}
--- a/bitwarden_license/src/Commercial.Core/AdminConsole/Providers/RemoveOrganizationFromProviderCommand.cs
+++ b/bitwarden_license/src/Commercial.Core/AdminConsole/Providers/RemoveOrganizationFromProviderCommand.cs
@ -113,7 +113,7 @@ public class RemoveOrganizationFromProviderCommand : IRemoveOrganizationFromProv
                await _providerBillingService.CreateCustomerForClientOrganization(provider, organization);
            }

-            var customer = await _stripeAdapter.CustomerUpdateAsync(organization.GatewayCustomerId, new CustomerUpdateOptions
+            var customer = await _stripeAdapter.UpdateCustomerAsync(organization.GatewayCustomerId, new CustomerUpdateOptions
            {
                Description = string.Empty,
                Email = organization.BillingEmail,
@ -138,7 +138,7 @@ public class RemoveOrganizationFromProviderCommand : IRemoveOrganizationFromProv

            subscriptionCreateOptions.AutomaticTax = new SubscriptionAutomaticTaxOptions { Enabled = true };

-            var subscription = await _stripeAdapter.SubscriptionCreateAsync(subscriptionCreateOptions);
+            var subscription = await _stripeAdapter.CreateSubscriptionAsync(subscriptionCreateOptions);

            organization.GatewaySubscriptionId = subscription.Id;
            organization.Status = OrganizationStatusType.Created;
@ -148,27 +148,26 @@ public class RemoveOrganizationFromProviderCommand : IRemoveOrganizationFromProv
        }
        else if (organization.IsStripeEnabled())
        {
-            var subscription = await _stripeAdapter.SubscriptionGetAsync(organization.GatewaySubscriptionId, new SubscriptionGetOptions
+            var subscription = await _stripeAdapter.GetSubscriptionAsync(organization.GatewaySubscriptionId, new SubscriptionGetOptions
            {
                Expand = ["customer"]
            });
-
            if (subscription.Status is StripeConstants.SubscriptionStatus.Canceled or StripeConstants.SubscriptionStatus.IncompleteExpired)
            {
                return;
            }

-            await _stripeAdapter.CustomerUpdateAsync(subscription.CustomerId, new CustomerUpdateOptions
+            await _stripeAdapter.UpdateCustomerAsync(subscription.CustomerId, new CustomerUpdateOptions
            {
                Email = organization.BillingEmail
            });

            if (subscription.Customer.Discount?.Coupon != null)
            {
-                await _stripeAdapter.CustomerDeleteDiscountAsync(subscription.CustomerId);
+                await _stripeAdapter.DeleteCustomerDiscountAsync(subscription.CustomerId);
            }

-            await _stripeAdapter.SubscriptionUpdateAsync(organization.GatewaySubscriptionId, new SubscriptionUpdateOptions
+            await _stripeAdapter.UpdateSubscriptionAsync(organization.GatewaySubscriptionId, new SubscriptionUpdateOptions
            {
                CollectionMethod = StripeConstants.CollectionMethod.SendInvoice,
                DaysUntilDue = 30,
--- a/bitwarden_license/src/Commercial.Core/AdminConsole/Services/ProviderService.cs
+++ b/bitwarden_license/src/Commercial.Core/AdminConsole/Services/ProviderService.cs
@ -9,12 +9,16 @@ using Bit.Core.AdminConsole.Enums.Provider;
 using Bit.Core.AdminConsole.Models.Business.Provider;
 using Bit.Core.AdminConsole.Models.Business.Tokenables;
 using Bit.Core.AdminConsole.OrganizationFeatures.Organizations;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.AutoConfirmUser;
+using Bit.Core.AdminConsole.OrganizationFeatures.Policies;
+using Bit.Core.AdminConsole.OrganizationFeatures.Policies.PolicyRequirements;
 using Bit.Core.AdminConsole.Repositories;
 using Bit.Core.AdminConsole.Services;
 using Bit.Core.Billing.Enums;
 using Bit.Core.Billing.Payment.Models;
 using Bit.Core.Billing.Pricing;
 using Bit.Core.Billing.Providers.Services;
+using Bit.Core.Billing.Services;
 using Bit.Core.Context;
 using Bit.Core.Entities;
 using Bit.Core.Enums;
@ -59,6 +63,7 @@ public class ProviderService : IProviderService
    private readonly IProviderBillingService _providerBillingService;
    private readonly IPricingClient _pricingClient;
    private readonly IProviderClientOrganizationSignUpCommand _providerClientOrganizationSignUpCommand;
+    private readonly IPolicyRequirementQuery _policyRequirementQuery;

    public ProviderService(IProviderRepository providerRepository, IProviderUserRepository providerUserRepository,
        IProviderOrganizationRepository providerOrganizationRepository, IUserRepository userRepository,
@ -68,7 +73,8 @@ public class ProviderService : IProviderService
        ICurrentContext currentContext, IStripeAdapter stripeAdapter, IFeatureService featureService,
        IDataProtectorTokenFactory<ProviderDeleteTokenable> providerDeleteTokenDataFactory,
        IApplicationCacheService applicationCacheService, IProviderBillingService providerBillingService, IPricingClient pricingClient,
-        IProviderClientOrganizationSignUpCommand providerClientOrganizationSignUpCommand)
+        IProviderClientOrganizationSignUpCommand providerClientOrganizationSignUpCommand,
+        IPolicyRequirementQuery policyRequirementQuery)
    {
        _providerRepository = providerRepository;
        _providerUserRepository = providerUserRepository;
@ -89,6 +95,7 @@ public class ProviderService : IProviderService
        _providerBillingService = providerBillingService;
        _pricingClient = pricingClient;
        _providerClientOrganizationSignUpCommand = providerClientOrganizationSignUpCommand;
+        _policyRequirementQuery = policyRequirementQuery;
    }

    public async Task<Provider> CompleteSetupAsync(Provider provider, Guid ownerUserId, string token, string key, TokenizedPaymentMethod paymentMethod, BillingAddress billingAddress)
@ -116,6 +123,18 @@ public class ProviderService : IProviderService
            throw new BadRequestException("Invalid owner.");
        }

+        if (_featureService.IsEnabled(FeatureFlagKeys.AutomaticConfirmUsers))
+        {
+            var organizationAutoConfirmPolicyRequirement = await _policyRequirementQuery
+                .GetAsync<AutomaticUserConfirmationPolicyRequirement>(ownerUserId);
+
+            if (organizationAutoConfirmPolicyRequirement
+                .CannotCreateProvider())
+            {
+                throw new BadRequestException(new UserCannotJoinProvider().Message);
+            }
+        }
+
        var customer = await _providerBillingService.SetupCustomer(provider, paymentMethod, billingAddress);
        provider.GatewayCustomerId = customer.Id;
        var subscription = await _providerBillingService.SetupSubscription(provider);
@ -248,6 +267,18 @@ public class ProviderService : IProviderService
            throw new BadRequestException("User email does not match invite.");
        }

+        if (_featureService.IsEnabled(FeatureFlagKeys.AutomaticConfirmUsers))
+        {
+            var organizationAutoConfirmPolicyRequirement = await _policyRequirementQuery
+                .GetAsync<AutomaticUserConfirmationPolicyRequirement>(user.Id);
+
+            if (organizationAutoConfirmPolicyRequirement
+                .CannotJoinProvider())
+            {
+                throw new BadRequestException(new UserCannotJoinProvider().Message);
+            }
+        }
+
        providerUser.Status = ProviderUserStatusType.Accepted;
        providerUser.UserId = user.Id;
        providerUser.Email = null;
@ -293,6 +324,19 @@ public class ProviderService : IProviderService
                    throw new BadRequestException("Invalid user.");
                }

+                if (_featureService.IsEnabled(FeatureFlagKeys.AutomaticConfirmUsers))
+                {
+                    var organizationAutoConfirmPolicyRequirement = await _policyRequirementQuery
+                        .GetAsync<AutomaticUserConfirmationPolicyRequirement>(user.Id);
+
+                    if (organizationAutoConfirmPolicyRequirement
+                        .CannotJoinProvider())
+                    {
+                        result.Add(Tuple.Create(providerUser, new UserCannotJoinProvider().Message));
+                        continue;
+                    }
+                }
+
                providerUser.Status = ProviderUserStatusType.Confirmed;
                providerUser.Key = keys[providerUser.Id];
                providerUser.Email = null;
@ -427,7 +471,7 @@ public class ProviderService : IProviderService

        if (!string.IsNullOrEmpty(organization.GatewayCustomerId))
        {
-            await _stripeAdapter.CustomerUpdateAsync(organization.GatewayCustomerId, new CustomerUpdateOptions
+            await _stripeAdapter.UpdateCustomerAsync(organization.GatewayCustomerId, new CustomerUpdateOptions
            {
                Email = provider.BillingEmail
            });
@ -487,7 +531,7 @@ public class ProviderService : IProviderService

    private async Task<SubscriptionItem> GetSubscriptionItemAsync(string subscriptionId, string oldPlanId)
    {
-        var subscriptionDetails = await _stripeAdapter.SubscriptionGetAsync(subscriptionId);
+        var subscriptionDetails = await _stripeAdapter.GetSubscriptionAsync(subscriptionId);
        return subscriptionDetails.Items.Data.FirstOrDefault(item => item.Price.Id == oldPlanId);
    }

@ -497,7 +541,7 @@ public class ProviderService : IProviderService
        {
            if (subscriptionItem.Price.Id != extractedPlanType)
            {
-                await _stripeAdapter.SubscriptionUpdateAsync(subscriptionItem.Subscription,
+                await _stripeAdapter.UpdateSubscriptionAsync(subscriptionItem.Subscription,
                    new Stripe.SubscriptionUpdateOptions
                    {
                        Items = new List<Stripe.SubscriptionItemOptions>
--- a/bitwarden_license/src/Commercial.Core/Billing/Providers/Queries/GetProviderWarningsQuery.cs
+++ b/bitwarden_license/src/Commercial.Core/Billing/Providers/Queries/GetProviderWarningsQuery.cs
@ -4,7 +4,6 @@ using Bit.Core.Billing.Providers.Models;
 using Bit.Core.Billing.Providers.Queries;
 using Bit.Core.Billing.Services;
 using Bit.Core.Context;
-using Bit.Core.Services;
 using Stripe;
 using Stripe.Tax;

@ -76,8 +75,8 @@ public class GetProviderWarningsQuery(

        // Get active and scheduled registrations
        var registrations = (await Task.WhenAll(
-                stripeAdapter.TaxRegistrationsListAsync(new RegistrationListOptions { Status = TaxRegistrationStatus.Active }),
-                stripeAdapter.TaxRegistrationsListAsync(new RegistrationListOptions { Status = TaxRegistrationStatus.Scheduled })))
+                stripeAdapter.ListTaxRegistrationsAsync(new RegistrationListOptions { Status = TaxRegistrationStatus.Active }),
+                stripeAdapter.ListTaxRegistrationsAsync(new RegistrationListOptions { Status = TaxRegistrationStatus.Scheduled })))
            .SelectMany(registrations => registrations.Data);

        // Find the matching registration for the customer
--- a/bitwarden_license/src/Commercial.Core/Billing/Providers/Services/BusinessUnitConverter.cs
+++ b/bitwarden_license/src/Commercial.Core/Billing/Providers/Services/BusinessUnitConverter.cs
@ -101,7 +101,7 @@ public class BusinessUnitConverter(
        providerUser.Status = ProviderUserStatusType.Confirmed;

        // Stripe requires that we clear all the custom fields from the invoice settings if we want to replace them.
-        await stripeAdapter.CustomerUpdateAsync(subscription.CustomerId, new CustomerUpdateOptions
+        await stripeAdapter.UpdateCustomerAsync(subscription.CustomerId, new CustomerUpdateOptions
        {
            InvoiceSettings = new CustomerInvoiceSettingsOptions
            {
@ -116,7 +116,7 @@ public class BusinessUnitConverter(
            ["convertedFrom"] = organization.Id.ToString()
        };

-        var updateCustomer = stripeAdapter.CustomerUpdateAsync(subscription.CustomerId, new CustomerUpdateOptions
+        var updateCustomer = stripeAdapter.UpdateCustomerAsync(subscription.CustomerId, new CustomerUpdateOptions
        {
            InvoiceSettings = new CustomerInvoiceSettingsOptions
            {
@ -148,7 +148,7 @@ public class BusinessUnitConverter(

        // Replace the existing password manager price with the new business unit price.
        var updateSubscription =
-            stripeAdapter.SubscriptionUpdateAsync(subscription.Id,
+            stripeAdapter.UpdateSubscriptionAsync(subscription.Id,
                new SubscriptionUpdateOptions
                {
                    Items = [
--- a/bitwarden_license/src/Commercial.Core/Billing/Providers/Services/ProviderBillingService.cs
+++ b/bitwarden_license/src/Commercial.Core/Billing/Providers/Services/ProviderBillingService.cs
@ -61,11 +61,11 @@ public class ProviderBillingService(
        Organization organization,
        string key)
    {
-        await stripeAdapter.SubscriptionUpdateAsync(organization.GatewaySubscriptionId,
+        await stripeAdapter.UpdateSubscriptionAsync(organization.GatewaySubscriptionId,
            new SubscriptionUpdateOptions { CancelAtPeriodEnd = false });

        var subscription =
-            await stripeAdapter.SubscriptionCancelAsync(organization.GatewaySubscriptionId,
+            await stripeAdapter.CancelSubscriptionAsync(organization.GatewaySubscriptionId,
                new SubscriptionCancelOptions
                {
                    CancellationDetails = new SubscriptionCancellationDetailsOptions
@ -83,7 +83,7 @@ public class ProviderBillingService(

        if (!wasTrialing && subscription.LatestInvoice.Status == InvoiceStatus.Draft)
        {
-            await stripeAdapter.InvoiceFinalizeInvoiceAsync(subscription.LatestInvoiceId,
+            await stripeAdapter.FinalizeInvoiceAsync(subscription.LatestInvoiceId,
                new InvoiceFinalizeOptions { AutoAdvance = true });
        }

@ -138,7 +138,7 @@ public class ProviderBillingService(

        if (clientCustomer.Balance != 0)
        {
-            await stripeAdapter.CustomerBalanceTransactionCreate(provider.GatewayCustomerId,
+            await stripeAdapter.CreateCustomerBalanceTransactionAsync(provider.GatewayCustomerId,
                new CustomerBalanceTransactionCreateOptions
                {
                    Amount = clientCustomer.Balance,
@ -187,7 +187,7 @@ public class ProviderBillingService(
            ]
        };

-        await stripeAdapter.SubscriptionUpdateAsync(provider.GatewaySubscriptionId, updateOptions);
+        await stripeAdapter.UpdateSubscriptionAsync(provider.GatewaySubscriptionId, updateOptions);

        // Refactor later to ?ChangeClientPlanCommand? (ProviderPlanId, ProviderId, OrganizationId)
        // 1. Retrieve PlanType and PlanName for ProviderPlan
@ -275,7 +275,7 @@ public class ProviderBillingService(
            customerCreateOptions.TaxExempt = TaxExempt.Reverse;
        }

-        var customer = await stripeAdapter.CustomerCreateAsync(customerCreateOptions);
+        var customer = await stripeAdapter.CreateCustomerAsync(customerCreateOptions);

        organization.GatewayCustomerId = customer.Id;

@ -525,7 +525,7 @@ public class ProviderBillingService(
            case TokenizablePaymentMethodType.BankAccount:
                {
                    var setupIntent =
-                        (await stripeAdapter.SetupIntentList(new SetupIntentListOptions
+                        (await stripeAdapter.ListSetupIntentsAsync(new SetupIntentListOptions
                        {
                            PaymentMethod = paymentMethod.Token
                        }))
@ -558,7 +558,7 @@ public class ProviderBillingService(

        try
        {
-            return await stripeAdapter.CustomerCreateAsync(options);
+            return await stripeAdapter.CreateCustomerAsync(options);
        }
        catch (StripeException stripeException) when (stripeException.StripeError?.Code == ErrorCodes.TaxIdInvalid)
        {
@ -580,7 +580,7 @@ public class ProviderBillingService(
                case TokenizablePaymentMethodType.BankAccount:
                    {
                        var setupIntentId = await setupIntentCache.GetSetupIntentIdForSubscriber(provider.Id);
-                        await stripeAdapter.SetupIntentCancel(setupIntentId,
+                        await stripeAdapter.CancelSetupIntentAsync(setupIntentId,
                            new SetupIntentCancelOptions { CancellationReason = "abandoned" });
                        await setupIntentCache.RemoveSetupIntentForSubscriber(provider.Id);
                        break;
@ -638,7 +638,7 @@ public class ProviderBillingService(
        var setupIntentId = await setupIntentCache.GetSetupIntentIdForSubscriber(provider.Id);

        var setupIntent = !string.IsNullOrEmpty(setupIntentId)
-            ? await stripeAdapter.SetupIntentGet(setupIntentId,
+            ? await stripeAdapter.GetSetupIntentAsync(setupIntentId,
                new SetupIntentGetOptions { Expand = ["payment_method"] })
            : null;

@ -673,7 +673,7 @@ public class ProviderBillingService(

        try
        {
-            var subscription = await stripeAdapter.SubscriptionCreateAsync(subscriptionCreateOptions);
+            var subscription = await stripeAdapter.CreateSubscriptionAsync(subscriptionCreateOptions);

            if (subscription is
                {
@ -708,7 +708,7 @@ public class ProviderBillingService(
            subscriberService.UpdatePaymentSource(provider, tokenizedPaymentSource),
            subscriberService.UpdateTaxInformation(provider, taxInformation));

-        await stripeAdapter.SubscriptionUpdateAsync(provider.GatewaySubscriptionId,
+        await stripeAdapter.UpdateSubscriptionAsync(provider.GatewaySubscriptionId,
            new SubscriptionUpdateOptions { CollectionMethod = CollectionMethod.ChargeAutomatically });
    }

@ -791,11 +791,49 @@ public class ProviderBillingService(

        if (subscriptionItemOptionsList.Count > 0)
        {
-            await stripeAdapter.SubscriptionUpdateAsync(provider.GatewaySubscriptionId,
+            await stripeAdapter.UpdateSubscriptionAsync(provider.GatewaySubscriptionId,
                new SubscriptionUpdateOptions { Items = subscriptionItemOptionsList });
        }
    }

+    public async Task UpdateProviderNameAndEmail(Provider provider)
+    {
+        if (string.IsNullOrWhiteSpace(provider.GatewayCustomerId))
+        {
+            logger.LogWarning(
+                "Provider ({ProviderId}) has no Stripe customer to update",
+                provider.Id);
+            return;
+        }
+
+        var newDisplayName = provider.DisplayName();
+
+        // Provider.DisplayName() can return null - handle gracefully
+        if (string.IsNullOrWhiteSpace(newDisplayName))
+        {
+            logger.LogWarning(
+                "Provider ({ProviderId}) has no name to update in Stripe",
+                provider.Id);
+            return;
+        }
+
+        await stripeAdapter.UpdateCustomerAsync(provider.GatewayCustomerId,
+            new CustomerUpdateOptions
+            {
+                Email = provider.BillingEmail,
+                Description = newDisplayName,
+                InvoiceSettings = new CustomerInvoiceSettingsOptions
+                {
+                    CustomFields = [
+                        new CustomerInvoiceSettingsCustomFieldOptions
+                        {
+                            Name = provider.SubscriberType(),
+                            Value = newDisplayName
+                        }]
+                },
+            });
+    }
+
    private Func<int, Task> CurrySeatScalingUpdate(
        Provider provider,
        ProviderPlan providerPlan,
@ -807,7 +845,7 @@ public class ProviderBillingService(

        var item = subscription.Items.First(item => item.Price.Id == priceId);

-        await stripeAdapter.SubscriptionUpdateAsync(provider.GatewaySubscriptionId, new SubscriptionUpdateOptions
+        await stripeAdapter.UpdateSubscriptionAsync(provider.GatewaySubscriptionId, new SubscriptionUpdateOptions
        {
            Items =
            [
--- a/bitwarden_license/src/Commercial.Infrastructure.EntityFramework/SecretsManager/Repositories/SecretVersionRepository.cs
+++ b/bitwarden_license/src/Commercial.Infrastructure.EntityFramework/SecretsManager/Repositories/SecretVersionRepository.cs
@ -0,0 +1,94 @@
+using AutoMapper;
+using Bit.Core.SecretsManager.Repositories;
+using Bit.Infrastructure.EntityFramework.Repositories;
+using Bit.Infrastructure.EntityFramework.SecretsManager.Models;
+using Microsoft.EntityFrameworkCore;
+using Microsoft.Extensions.DependencyInjection;
+
+namespace Bit.Commercial.Infrastructure.EntityFramework.SecretsManager.Repositories;
+
+public class SecretVersionRepository : Repository<Core.SecretsManager.Entities.SecretVersion, SecretVersion, Guid>, ISecretVersionRepository
+{
+    public SecretVersionRepository(IServiceScopeFactory serviceScopeFactory, IMapper mapper)
+        : base(serviceScopeFactory, mapper, db => db.SecretVersion)
+    { }
+
+    public override async Task<Core.SecretsManager.Entities.SecretVersion?> GetByIdAsync(Guid id)
+    {
+        using var scope = ServiceScopeFactory.CreateScope();
+        var dbContext = GetDatabaseContext(scope);
+        var secretVersion = await dbContext.SecretVersion
+            .Where(sv => sv.Id == id)
+            .FirstOrDefaultAsync();
+        return Mapper.Map<Core.SecretsManager.Entities.SecretVersion>(secretVersion);
+    }
+
+    public async Task<IEnumerable<Core.SecretsManager.Entities.SecretVersion>> GetManyBySecretIdAsync(Guid secretId)
+    {
+        using var scope = ServiceScopeFactory.CreateScope();
+        var dbContext = GetDatabaseContext(scope);
+        var secretVersions = await dbContext.SecretVersion
+            .Where(sv => sv.SecretId == secretId)
+            .OrderByDescending(sv => sv.VersionDate)
+            .ToListAsync();
+        return Mapper.Map<List<Core.SecretsManager.Entities.SecretVersion>>(secretVersions);
+    }
+
+    public async Task<IEnumerable<Core.SecretsManager.Entities.SecretVersion>> GetManyByIdsAsync(IEnumerable<Guid> ids)
+    {
+        using var scope = ServiceScopeFactory.CreateScope();
+        var dbContext = GetDatabaseContext(scope);
+        var versionIds = ids.ToList();
+        var secretVersions = await dbContext.SecretVersion
+            .Where(sv => versionIds.Contains(sv.Id))
+            .OrderByDescending(sv => sv.VersionDate)
+            .ToListAsync();
+        return Mapper.Map<List<Core.SecretsManager.Entities.SecretVersion>>(secretVersions);
+    }
+
+    public override async Task<Core.SecretsManager.Entities.SecretVersion> CreateAsync(Core.SecretsManager.Entities.SecretVersion secretVersion)
+    {
+        const int maxVersionsToKeep = 10;
+
+        await using var scope = ServiceScopeFactory.CreateAsyncScope();
+        var dbContext = GetDatabaseContext(scope);
+
+        await using var transaction = await dbContext.Database.BeginTransactionAsync();
+
+        // Get the IDs of the most recent (maxVersionsToKeep - 1) versions to keep
+        var versionsToKeepIds = await dbContext.SecretVersion
+            .Where(sv => sv.SecretId == secretVersion.SecretId)
+            .OrderByDescending(sv => sv.VersionDate)
+            .Take(maxVersionsToKeep - 1)
+            .Select(sv => sv.Id)
+            .ToListAsync();
+
+        // Delete all versions for this secret that are not in the "keep" list
+        if (versionsToKeepIds.Any())
+        {
+            await dbContext.SecretVersion
+                .Where(sv => sv.SecretId == secretVersion.SecretId && !versionsToKeepIds.Contains(sv.Id))
+                .ExecuteDeleteAsync();
+        }
+
+        secretVersion.SetNewId();
+        var entity = Mapper.Map<SecretVersion>(secretVersion);
+
+        await dbContext.AddAsync(entity);
+        await dbContext.SaveChangesAsync();
+        await transaction.CommitAsync();
+
+        return secretVersion;
+    }
+
+    public async Task DeleteManyByIdAsync(IEnumerable<Guid> ids)
+    {
+        await using var scope = ServiceScopeFactory.CreateAsyncScope();
+        var dbContext = GetDatabaseContext(scope);
+
+        var secretVersionIds = ids.ToList();
+        await dbContext.SecretVersion
+            .Where(sv => secretVersionIds.Contains(sv.Id))
+            .ExecuteDeleteAsync();
+    }
+}
--- a/bitwarden_license/src/Commercial.Infrastructure.EntityFramework/SecretsManager/SecretsManagerEFServiceCollectionExtensions.cs
+++ b/bitwarden_license/src/Commercial.Infrastructure.EntityFramework/SecretsManager/SecretsManagerEFServiceCollectionExtensions.cs
@ -10,6 +10,7 @@ public static class SecretsManagerEfServiceCollectionExtensions
    {
        services.AddSingleton<IAccessPolicyRepository, AccessPolicyRepository>();
        services.AddSingleton<ISecretRepository, SecretRepository>();
+        services.AddSingleton<ISecretVersionRepository, SecretVersionRepository>();
        services.AddSingleton<IProjectRepository, ProjectRepository>();
        services.AddSingleton<IServiceAccountRepository, ServiceAccountRepository>();
    }
--- a/bitwarden_license/src/Scim/Controllers/v2/GroupsController.cs
+++ b/bitwarden_license/src/Scim/Controllers/v2/GroupsController.cs
@ -61,17 +61,15 @@ public class GroupsController : Controller
    [HttpGet("")]
    public async Task<IActionResult> Get(
        Guid organizationId,
-        [FromQuery] string filter,
-        [FromQuery] int? count,
-        [FromQuery] int? startIndex)
+        [FromQuery] GetGroupsQueryParamModel model)
    {
-        var groupsListQueryResult = await _getGroupsListQuery.GetGroupsListAsync(organizationId, filter, count, startIndex);
+        var groupsListQueryResult = await _getGroupsListQuery.GetGroupsListAsync(organizationId, model);
        var scimListResponseModel = new ScimListResponseModel<ScimGroupResponseModel>
        {
            Resources = groupsListQueryResult.groupList.Select(g => new ScimGroupResponseModel(g)).ToList(),
-            ItemsPerPage = count.GetValueOrDefault(groupsListQueryResult.groupList.Count()),
+            ItemsPerPage = model.Count,
            TotalResults = groupsListQueryResult.totalResults,
-            StartIndex = startIndex.GetValueOrDefault(1),
+            StartIndex = model.StartIndex,
        };
        return Ok(scimListResponseModel);
    }
--- a/bitwarden_license/src/Scim/Controllers/v2/UsersController.cs
+++ b/bitwarden_license/src/Scim/Controllers/v2/UsersController.cs
@ -3,6 +3,7 @@

 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Interfaces;
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.RestoreUser.v1;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.RevokeUser.v1;
 using Bit.Core.Enums;
 using Bit.Core.Exceptions;
 using Bit.Core.Repositories;
--- a/bitwarden_license/src/Scim/Groups/GetGroupsListQuery.cs
+++ b/bitwarden_license/src/Scim/Groups/GetGroupsListQuery.cs
@ -4,6 +4,7 @@
 using Bit.Core.AdminConsole.Entities;
 using Bit.Core.AdminConsole.Repositories;
 using Bit.Scim.Groups.Interfaces;
+using Bit.Scim.Models;

 namespace Bit.Scim.Groups;

@ -16,10 +17,16 @@ public class GetGroupsListQuery : IGetGroupsListQuery
        _groupRepository = groupRepository;
    }

-    public async Task<(IEnumerable<Group> groupList, int totalResults)> GetGroupsListAsync(Guid organizationId, string filter, int? count, int? startIndex)
+    public async Task<(IEnumerable<Group> groupList, int totalResults)> GetGroupsListAsync(
+        Guid organizationId, GetGroupsQueryParamModel groupQueryParams)
    {
        string nameFilter = null;
        string externalIdFilter = null;
+
+        int count = groupQueryParams.Count;
+        int startIndex = groupQueryParams.StartIndex;
+        string filter = groupQueryParams.Filter;
+
        if (!string.IsNullOrWhiteSpace(filter))
        {
            if (filter.StartsWith("displayName eq "))
@ -53,11 +60,11 @@ public class GetGroupsListQuery : IGetGroupsListQuery
            }
            totalResults = groupList.Count;
        }
-        else if (string.IsNullOrWhiteSpace(filter) && startIndex.HasValue && count.HasValue)
+        else if (string.IsNullOrWhiteSpace(filter))
        {
            groupList = groups.OrderBy(g => g.Name)
-                .Skip(startIndex.Value - 1)
-                .Take(count.Value)
+                .Skip(startIndex - 1)
+                .Take(count)
                .ToList();
            totalResults = groups.Count;
        }
--- a/bitwarden_license/src/Scim/Groups/Interfaces/IGetGroupsListQuery.cs
+++ b/bitwarden_license/src/Scim/Groups/Interfaces/IGetGroupsListQuery.cs
@ -1,8 +1,9 @@
 using Bit.Core.AdminConsole.Entities;
+using Bit.Scim.Models;

 namespace Bit.Scim.Groups.Interfaces;

 public interface IGetGroupsListQuery
 {
-    Task<(IEnumerable<Group> groupList, int totalResults)> GetGroupsListAsync(Guid organizationId, string filter, int? count, int? startIndex);
+    Task<(IEnumerable<Group> groupList, int totalResults)> GetGroupsListAsync(Guid organizationId, GetGroupsQueryParamModel model);
 }
--- a/bitwarden_license/src/Scim/Models/GetGroupsQueryParamModel.cs
+++ b/bitwarden_license/src/Scim/Models/GetGroupsQueryParamModel.cs
@ -0,0 +1,14 @@
+using System.ComponentModel.DataAnnotations;
+
+namespace Bit.Scim.Models;
+
+public class GetGroupsQueryParamModel
+{
+    public string Filter { get; init; } = string.Empty;
+
+    [Range(1, int.MaxValue)]
+    public int Count { get; init; } = 50;
+
+    [Range(1, int.MaxValue)]
+    public int StartIndex { get; init; } = 1;
+}
--- a/bitwarden_license/src/Scim/Models/GetUsersQueryParamModel.cs
+++ b/bitwarden_license/src/Scim/Models/GetUsersQueryParamModel.cs
@ -1,5 +1,7 @@
 using System.ComponentModel.DataAnnotations;

+namespace Bit.Scim.Models;
+
 public class GetUsersQueryParamModel
 {
    public string Filter { get; init; } = string.Empty;
--- a/bitwarden_license/src/Scim/Users/GetUsersListQuery.cs
+++ b/bitwarden_license/src/Scim/Users/GetUsersListQuery.cs
@ -3,6 +3,7 @@

 using Bit.Core.Models.Data.Organizations.OrganizationUsers;
 using Bit.Core.Repositories;
+using Bit.Scim.Models;
 using Bit.Scim.Users.Interfaces;

 namespace Bit.Scim.Users;
--- a/bitwarden_license/src/Scim/Users/Interfaces/IGetUsersListQuery.cs
+++ b/bitwarden_license/src/Scim/Users/Interfaces/IGetUsersListQuery.cs
@ -1,4 +1,5 @@
 using Bit.Core.Models.Data.Organizations.OrganizationUsers;
+using Bit.Scim.Models;

 namespace Bit.Scim.Users.Interfaces;

--- a/bitwarden_license/src/Scim/Users/PatchUserCommand.cs
+++ b/bitwarden_license/src/Scim/Users/PatchUserCommand.cs
@ -1,5 +1,5 @@
-using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Interfaces;
-using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.RestoreUser.v1;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.RestoreUser.v1;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.RevokeUser.v1;
 using Bit.Core.Enums;
 using Bit.Core.Exceptions;
 using Bit.Core.Repositories;
--- a/bitwarden_license/src/Scim/Users/PostUserCommand.cs
+++ b/bitwarden_license/src/Scim/Users/PostUserCommand.cs
@ -8,6 +8,7 @@ using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.E
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Models;
 using Bit.Core.AdminConsole.Utilities.Commands;
 using Bit.Core.Billing.Pricing;
+using Bit.Core.Billing.Services;
 using Bit.Core.Enums;
 using Bit.Core.Exceptions;
 using Bit.Core.Models.Data.Organizations.OrganizationUsers;
@ -24,7 +25,7 @@ public class PostUserCommand(
    IOrganizationRepository organizationRepository,
    IOrganizationUserRepository organizationUserRepository,
    IOrganizationService organizationService,
-    IPaymentService paymentService,
+    IStripePaymentService paymentService,
    IScimContext scimContext,
    IFeatureService featureService,
    IInviteOrganizationUsersCommand inviteOrganizationUsersCommand,
--- a/bitwarden_license/src/Sso/Controllers/AccountController.cs
+++ b/bitwarden_license/src/Sso/Controllers/AccountController.cs
@ -201,12 +201,15 @@ public class AccountController : Controller
            returnUrl,
            state = context.Parameters["state"],
            userIdentifier = context.Parameters["session_state"],
+            ssoToken
        });
    }

    [HttpGet]
-    public IActionResult ExternalChallenge(string scheme, string returnUrl, string state, string userIdentifier)
+    public IActionResult ExternalChallenge(string scheme, string returnUrl, string state, string userIdentifier, string ssoToken)
    {
+        ValidateSchemeAgainstSsoToken(scheme, ssoToken);
+
        if (string.IsNullOrEmpty(returnUrl))
        {
            returnUrl = "~/";
@ -235,6 +238,31 @@ public class AccountController : Controller
        return Challenge(props, scheme);
    }

+    /// <summary>
+    /// Validates the scheme (organization ID) against the organization ID found in the ssoToken.
+    /// </summary>
+    /// <param name="scheme">The authentication scheme (organization ID) to validate.</param>
+    /// <param name="ssoToken">The SSO token to validate against.</param>
+    /// <exception cref="Exception">Thrown if the scheme (organization ID) does not match the organization ID found in the ssoToken.</exception>
+    private void ValidateSchemeAgainstSsoToken(string scheme, string ssoToken)
+    {
+        SsoTokenable tokenable;
+
+        try
+        {
+            tokenable = _dataProtector.Unprotect(ssoToken);
+        }
+        catch
+        {
+            throw new Exception(_i18nService.T("InvalidSsoToken"));
+        }
+
+        if (!Guid.TryParse(scheme, out var schemeOrgId) || tokenable.OrganizationId != schemeOrgId)
+        {
+            throw new Exception(_i18nService.T("SsoOrganizationIdMismatch"));
+        }
+    }
+
    [HttpGet]
    public async Task<IActionResult> ExternalCallback()
    {
@ -434,6 +462,7 @@ public class AccountController : Controller
        // FIXME: Update this file to be null safe and then delete the line below
 #nullable disable
        var provider = result.Properties.Items["scheme"];
+        //Todo: Validate provider is a valid GUID with TryParse instead. When this is invalid it throws an exception
        var orgId = new Guid(provider);
        var ssoConfig = await _ssoConfigRepository.GetByOrganizationIdAsync(orgId);
        if (ssoConfig == null || !ssoConfig.Enabled)
@ -587,7 +616,7 @@ public class AccountController : Controller

            // Since we're in the auto-provisioning logic, this means that the user exists, but they have not
            // authenticated with the org's SSO provider before now (otherwise we wouldn't be auto-provisioning them).
-            // We've verified that the user is Accepted or Confnirmed, so we can create an SsoUser link and proceed
+            // We've verified that the user is Accepted or Confirmed, so we can create an SsoUser link and proceed
            // with authentication.
            await CreateSsoUserRecordAsync(providerUserId, guaranteedExistingUser.Id, organization.Id, guaranteedOrgUser);

@ -652,22 +681,10 @@ public class AccountController : Controller
            ApiKey = CoreHelpers.SecureRandomString(30)
        };

-        /*
-            The feature flag is checked here so that we can send the new MJML welcome email templates.
-            The other organization invites flows have an OrganizationUser allowing the RegisterUserCommand the ability
-            to fetch the Organization. The old method RegisterUser(User) here does not have that context, so we need
-            to use a new method RegisterSSOAutoProvisionedUserAsync(User, Organization) to send the correct email.
-            [PM-28057]: Prefer RegisterSSOAutoProvisionedUserAsync for SSO auto-provisioned users.
-            TODO: Remove Feature flag: PM-28221
-        */
-        if (_featureService.IsEnabled(FeatureFlagKeys.MjmlWelcomeEmailTemplates))
-        {
-            await _registerUserCommand.RegisterSSOAutoProvisionedUserAsync(newUser, organization);
-        }
-        else
-        {
-            await _registerUserCommand.RegisterUser(newUser);
-        }
+        // Always use RegisterSSOAutoProvisionedUserAsync to ensure organization context is available
+        // for domain validation (BlockClaimedDomainAccountCreation policy) and welcome emails.
+        // The feature flag logic for welcome email templates is handled internally by RegisterUserCommand.
+        await _registerUserCommand.RegisterSSOAutoProvisionedUserAsync(newUser, organization);

        // If the organization has 2fa policy enabled, make sure to default jit user 2fa to email
        var twoFactorPolicy =
--- a/bitwarden_license/src/Sso/appsettings.Development.json
+++ b/bitwarden_license/src/Sso/appsettings.Development.json
@ -25,6 +25,12 @@
      "connectionString": "UseDevelopmentStorage=true"
    },
    "developmentDirectory": "../../../dev",
-    "pricingUri": "https://billingpricing.qa.bitwarden.pw"
+    "pricingUri": "https://billingpricing.qa.bitwarden.pw",
+    "mail": {
+      "smtp": {
+        "host": "localhost",
+        "port": 10250
+      }
+    }
  }
 }
--- a/bitwarden_license/src/Sso/appsettings.json
+++ b/bitwarden_license/src/Sso/appsettings.json
@ -13,7 +13,11 @@
    "mail": {
      "sendGridApiKey": "SECRET",
      "amazonConfigSetName": "Email",
-      "replyToEmail": "no-reply@bitwarden.com"
+      "replyToEmail": "no-reply@bitwarden.com",
+      "smtp": {
+        "host": "localhost",
+        "port": 10250
+      }
    },
    "identityServer": {
      "certificateThumbprint": "SECRET"
--- a/bitwarden_license/test/Commercial.Core.Test/AdminConsole/ProviderFeatures/RemoveOrganizationFromProviderCommandTests.cs
+++ b/bitwarden_license/test/Commercial.Core.Test/AdminConsole/ProviderFeatures/RemoveOrganizationFromProviderCommandTests.cs
@ -131,7 +131,7 @@ public class RemoveOrganizationFromProviderCommandTests
                Arg.Is<IEnumerable<string>>(emails => emails.FirstOrDefault() == "a@example.com"));

        await sutProvider.GetDependency<IStripeAdapter>().DidNotReceiveWithAnyArgs()
-            .CustomerUpdateAsync(Arg.Any<string>(), Arg.Any<CustomerUpdateOptions>());
+            .UpdateCustomerAsync(Arg.Any<string>(), Arg.Any<CustomerUpdateOptions>());
    }

    [Theory, BitAutoData]
@ -156,7 +156,7 @@ public class RemoveOrganizationFromProviderCommandTests
            "b@example.com"
        ]);

-        sutProvider.GetDependency<IStripeAdapter>().SubscriptionGetAsync(organization.GatewaySubscriptionId, Arg.Is<SubscriptionGetOptions>(
+        sutProvider.GetDependency<IStripeAdapter>().GetSubscriptionAsync(organization.GatewaySubscriptionId, Arg.Is<SubscriptionGetOptions>(
                options => options.Expand.Contains("customer")))
            .Returns(GetSubscription(organization.GatewaySubscriptionId, organization.GatewayCustomerId));

@ -164,12 +164,14 @@ public class RemoveOrganizationFromProviderCommandTests

        var stripeAdapter = sutProvider.GetDependency<IStripeAdapter>();

-        await stripeAdapter.Received(1).CustomerUpdateAsync(organization.GatewayCustomerId,
+        await stripeAdapter.Received(1).UpdateCustomerAsync(organization.GatewayCustomerId,
            Arg.Is<CustomerUpdateOptions>(options => options.Email == "a@example.com"));

-        await stripeAdapter.Received(1).CustomerDeleteDiscountAsync(organization.GatewayCustomerId);
+        await stripeAdapter.Received(1).DeleteCustomerDiscountAsync(organization.GatewayCustomerId);

-        await stripeAdapter.Received(1).SubscriptionUpdateAsync(organization.GatewaySubscriptionId,
+        await stripeAdapter.Received(1).DeleteCustomerDiscountAsync(organization.GatewayCustomerId);
+
+        await stripeAdapter.Received(1).UpdateSubscriptionAsync(organization.GatewaySubscriptionId,
            Arg.Is<SubscriptionUpdateOptions>(options =>
                options.CollectionMethod == StripeConstants.CollectionMethod.SendInvoice &&
                options.DaysUntilDue == 30));
@ -226,7 +228,7 @@ public class RemoveOrganizationFromProviderCommandTests

        var stripeAdapter = sutProvider.GetDependency<IStripeAdapter>();

-        stripeAdapter.CustomerUpdateAsync(organization.GatewayCustomerId, Arg.Is<CustomerUpdateOptions>(options =>
+        stripeAdapter.UpdateCustomerAsync(organization.GatewayCustomerId, Arg.Is<CustomerUpdateOptions>(options =>
            options.Description == string.Empty &&
            options.Email == organization.BillingEmail &&
            options.Expand[0] == "tax" &&
@ -239,14 +241,14 @@ public class RemoveOrganizationFromProviderCommandTests
                }
            });

-        stripeAdapter.SubscriptionCreateAsync(Arg.Any<SubscriptionCreateOptions>()).Returns(new Subscription
+        stripeAdapter.CreateSubscriptionAsync(Arg.Any<SubscriptionCreateOptions>()).Returns(new Subscription
        {
            Id = "subscription_id"
        });

        await sutProvider.Sut.RemoveOrganizationFromProvider(provider, providerOrganization, organization);

-        await stripeAdapter.Received(1).SubscriptionCreateAsync(Arg.Is<SubscriptionCreateOptions>(options =>
+        await stripeAdapter.Received(1).CreateSubscriptionAsync(Arg.Is<SubscriptionCreateOptions>(options =>
            options.Customer == organization.GatewayCustomerId &&
            options.CollectionMethod == StripeConstants.CollectionMethod.SendInvoice &&
            options.DaysUntilDue == 30 &&
@ -315,7 +317,7 @@ public class RemoveOrganizationFromProviderCommandTests

        var stripeAdapter = sutProvider.GetDependency<IStripeAdapter>();

-        stripeAdapter.CustomerUpdateAsync(organization.GatewayCustomerId, Arg.Is<CustomerUpdateOptions>(options =>
+        stripeAdapter.UpdateCustomerAsync(organization.GatewayCustomerId, Arg.Is<CustomerUpdateOptions>(options =>
            options.Description == string.Empty &&
            options.Email == organization.BillingEmail &&
            options.Expand[0] == "tax" &&
@ -328,14 +330,14 @@ public class RemoveOrganizationFromProviderCommandTests
                }
            });

-        stripeAdapter.SubscriptionCreateAsync(Arg.Any<SubscriptionCreateOptions>()).Returns(new Subscription
+        stripeAdapter.CreateSubscriptionAsync(Arg.Any<SubscriptionCreateOptions>()).Returns(new Subscription
        {
            Id = "subscription_id"
        });

        await sutProvider.Sut.RemoveOrganizationFromProvider(provider, providerOrganization, organization);

-        await stripeAdapter.Received(1).SubscriptionCreateAsync(Arg.Is<SubscriptionCreateOptions>(options =>
+        await stripeAdapter.Received(1).CreateSubscriptionAsync(Arg.Is<SubscriptionCreateOptions>(options =>
            options.Customer == organization.GatewayCustomerId &&
            options.CollectionMethod == StripeConstants.CollectionMethod.SendInvoice &&
            options.DaysUntilDue == 30 &&
@ -434,7 +436,7 @@ public class RemoveOrganizationFromProviderCommandTests

        var stripeAdapter = sutProvider.GetDependency<IStripeAdapter>();

-        stripeAdapter.CustomerUpdateAsync(organization.GatewayCustomerId, Arg.Any<CustomerUpdateOptions>())
+        stripeAdapter.UpdateCustomerAsync(organization.GatewayCustomerId, Arg.Any<CustomerUpdateOptions>())
            .Returns(new Customer
            {
                Id = "customer_id",
@ -444,7 +446,7 @@ public class RemoveOrganizationFromProviderCommandTests
                }
            });

-        stripeAdapter.SubscriptionCreateAsync(Arg.Any<SubscriptionCreateOptions>()).Returns(new Subscription
+        stripeAdapter.CreateSubscriptionAsync(Arg.Any<SubscriptionCreateOptions>()).Returns(new Subscription
        {
            Id = "new_subscription_id"
        });
--- a/bitwarden_license/test/Commercial.Core.Test/AdminConsole/Services/ProviderServiceTests.cs
+++ b/bitwarden_license/test/Commercial.Core.Test/AdminConsole/Services/ProviderServiceTests.cs
@ -1,17 +1,23 @@
 using Bit.Commercial.Core.AdminConsole.Services;
 using Bit.Commercial.Core.Test.AdminConsole.AutoFixture;
+using Bit.Core;
 using Bit.Core.AdminConsole.Entities;
 using Bit.Core.AdminConsole.Entities.Provider;
 using Bit.Core.AdminConsole.Enums.Provider;
 using Bit.Core.AdminConsole.Models.Business.Provider;
 using Bit.Core.AdminConsole.Models.Business.Tokenables;
+using Bit.Core.AdminConsole.Models.Data.Organizations.Policies;
 using Bit.Core.AdminConsole.Models.Data.Provider;
 using Bit.Core.AdminConsole.OrganizationFeatures.Organizations;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.AutoConfirmUser;
+using Bit.Core.AdminConsole.OrganizationFeatures.Policies;
+using Bit.Core.AdminConsole.OrganizationFeatures.Policies.PolicyRequirements;
 using Bit.Core.AdminConsole.Repositories;
 using Bit.Core.Billing.Enums;
 using Bit.Core.Billing.Payment.Models;
 using Bit.Core.Billing.Pricing;
 using Bit.Core.Billing.Providers.Services;
+using Bit.Core.Billing.Services;
 using Bit.Core.Context;
 using Bit.Core.Entities;
 using Bit.Core.Enums;
@ -100,6 +106,57 @@ public class ProviderServiceTests
            .ReplaceAsync(Arg.Is<ProviderUser>(pu => pu.UserId == user.Id && pu.ProviderId == provider.Id && pu.Key == key));
    }

+    [Theory, BitAutoData]
+    public async Task CompleteSetupAsync_WithAutoConfirmEnabled_ThrowsUserCannotJoinProviderError(User user, Provider provider,
+        string key,
+        TokenizedPaymentMethod tokenizedPaymentMethod, BillingAddress billingAddress,
+        [ProviderUser] ProviderUser providerUser,
+        SutProvider<ProviderService> sutProvider)
+    {
+        providerUser.ProviderId = provider.Id;
+        providerUser.UserId = user.Id;
+        var userService = sutProvider.GetDependency<IUserService>();
+        userService.GetUserByIdAsync(user.Id).Returns(user);
+
+        var providerUserRepository = sutProvider.GetDependency<IProviderUserRepository>();
+        providerUserRepository.GetByProviderUserAsync(provider.Id, user.Id).Returns(providerUser);
+
+        var dataProtectionProvider = DataProtectionProvider.Create("ApplicationName");
+        var protector = dataProtectionProvider.CreateProtector("ProviderServiceDataProtector");
+        sutProvider.GetDependency<IDataProtectionProvider>().CreateProtector("ProviderServiceDataProtector")
+            .Returns(protector);
+
+        var providerBillingService = sutProvider.GetDependency<IProviderBillingService>();
+
+        var customer = new Customer { Id = "customer_id" };
+        providerBillingService.SetupCustomer(provider, tokenizedPaymentMethod, billingAddress).Returns(customer);
+
+        var subscription = new Subscription { Id = "subscription_id" };
+        providerBillingService.SetupSubscription(provider).Returns(subscription);
+
+        sutProvider.GetDependency<IFeatureService>()
+            .IsEnabled(FeatureFlagKeys.AutomaticConfirmUsers)
+            .Returns(true);
+
+        var policyDetails = new List<PolicyDetails> { new() { OrganizationId = Guid.NewGuid(), IsProvider = false } };
+        var policyRequirement = new AutomaticUserConfirmationPolicyRequirement(policyDetails);
+        sutProvider.GetDependency<IPolicyRequirementQuery>()
+            .GetAsync<AutomaticUserConfirmationPolicyRequirement>(user.Id)
+            .Returns(policyRequirement);
+
+        sutProvider.Create();
+
+        var token = protector.Protect(
+            $"ProviderSetupInvite {provider.Id} {user.Email} {CoreHelpers.ToEpocMilliseconds(DateTime.UtcNow)}");
+
+        // Act & Assert
+        var exception = await Assert.ThrowsAsync<BadRequestException>(() =>
+            sutProvider.Sut.CompleteSetupAsync(provider, user.Id, token, key, tokenizedPaymentMethod,
+                billingAddress));
+
+        Assert.Equal(new UserCannotJoinProvider().Message, exception.Message);
+    }
+
    [Theory, BitAutoData]
    public async Task UpdateAsync_ProviderIdIsInvalid_Throws(Provider provider, SutProvider<ProviderService> sutProvider)
    {
@ -579,6 +636,132 @@ public class ProviderServiceTests
        Assert.Equal(user.Id, pu.UserId);
    }

+    [Theory, BitAutoData]
+    public async Task AcceptUserAsync_WithAutoConfirmEnabledAndPolicyExists_Throws(
+        [ProviderUser(ProviderUserStatusType.Invited)] ProviderUser providerUser,
+        User user,
+        SutProvider<ProviderService> sutProvider)
+    {
+        // Arrange
+        sutProvider.GetDependency<IProviderUserRepository>()
+            .GetByIdAsync(providerUser.Id)
+            .Returns(providerUser);
+
+        var protector = DataProtectionProvider
+            .Create("ApplicationName")
+            .CreateProtector("ProviderServiceDataProtector");
+
+        sutProvider.GetDependency<IDataProtectionProvider>()
+            .CreateProtector("ProviderServiceDataProtector")
+            .Returns(protector);
+
+        sutProvider.Create();
+
+        providerUser.Email = user.Email;
+        var token = protector.Protect($"ProviderUserInvite {providerUser.Id} {user.Email} {CoreHelpers.ToEpocMilliseconds(DateTime.UtcNow)}");
+
+        sutProvider.GetDependency<IFeatureService>()
+            .IsEnabled(FeatureFlagKeys.AutomaticConfirmUsers)
+            .Returns(true);
+
+        var policyDetails = new List<PolicyDetails>
+        {
+            new() { OrganizationId = Guid.NewGuid(), IsProvider = false }
+        };
+        var policyRequirement = new AutomaticUserConfirmationPolicyRequirement(policyDetails);
+        sutProvider.GetDependency<IPolicyRequirementQuery>()
+            .GetAsync<AutomaticUserConfirmationPolicyRequirement>(user.Id)
+            .Returns(policyRequirement);
+
+        // Act & Assert
+        var exception = await Assert.ThrowsAsync<BadRequestException>(
+            () => sutProvider.Sut.AcceptUserAsync(providerUser.Id, user, token));
+
+        Assert.Equal(new UserCannotJoinProvider().Message, exception.Message);
+    }
+
+    [Theory, BitAutoData]
+    public async Task AcceptUserAsync_WithAutoConfirmEnabledButNoPolicyExists_Success(
+        [ProviderUser(ProviderUserStatusType.Invited)] ProviderUser providerUser,
+        User user,
+        SutProvider<ProviderService> sutProvider)
+    {
+        // Arrange
+        sutProvider.GetDependency<IProviderUserRepository>()
+            .GetByIdAsync(providerUser.Id)
+            .Returns(providerUser);
+
+        var protector = DataProtectionProvider
+            .Create("ApplicationName")
+            .CreateProtector("ProviderServiceDataProtector");
+
+        sutProvider.GetDependency<IDataProtectionProvider>()
+            .CreateProtector("ProviderServiceDataProtector")
+            .Returns(protector);
+        sutProvider.Create();
+
+        providerUser.Email = user.Email;
+        var token = protector.Protect($"ProviderUserInvite {providerUser.Id} {user.Email} {CoreHelpers.ToEpocMilliseconds(DateTime.UtcNow)}");
+
+        sutProvider.GetDependency<IFeatureService>()
+            .IsEnabled(FeatureFlagKeys.AutomaticConfirmUsers)
+            .Returns(true);
+
+        var policyRequirement = new AutomaticUserConfirmationPolicyRequirement([]);
+        sutProvider.GetDependency<IPolicyRequirementQuery>()
+            .GetAsync<AutomaticUserConfirmationPolicyRequirement>(user.Id)
+            .Returns(policyRequirement);
+
+        // Act
+        var pu = await sutProvider.Sut.AcceptUserAsync(providerUser.Id, user, token);
+
+        // Assert
+        Assert.Null(pu.Email);
+        Assert.Equal(ProviderUserStatusType.Accepted, pu.Status);
+        Assert.Equal(user.Id, pu.UserId);
+    }
+
+    [Theory, BitAutoData]
+    public async Task AcceptUserAsync_WithAutoConfirmDisabled_Success(
+        [ProviderUser(ProviderUserStatusType.Invited)] ProviderUser providerUser,
+        User user,
+        SutProvider<ProviderService> sutProvider)
+    {
+        // Arrange
+        sutProvider.GetDependency<IProviderUserRepository>()
+            .GetByIdAsync(providerUser.Id)
+            .Returns(providerUser);
+
+        var protector = DataProtectionProvider
+            .Create("ApplicationName")
+            .CreateProtector("ProviderServiceDataProtector");
+
+        sutProvider.GetDependency<IDataProtectionProvider>()
+            .CreateProtector("ProviderServiceDataProtector")
+            .Returns(protector);
+        sutProvider.Create();
+
+        providerUser.Email = user.Email;
+        var token = protector.Protect($"ProviderUserInvite {providerUser.Id} {user.Email} {CoreHelpers.ToEpocMilliseconds(DateTime.UtcNow)}");
+
+        sutProvider.GetDependency<IFeatureService>()
+            .IsEnabled(FeatureFlagKeys.AutomaticConfirmUsers)
+            .Returns(false);
+
+        // Act
+        var pu = await sutProvider.Sut.AcceptUserAsync(providerUser.Id, user, token);
+
+        // Assert
+        Assert.Null(pu.Email);
+        Assert.Equal(ProviderUserStatusType.Accepted, pu.Status);
+        Assert.Equal(user.Id, pu.UserId);
+
+        // Verify that policy check was never called when feature flag is disabled
+        await sutProvider.GetDependency<IPolicyRequirementQuery>()
+            .DidNotReceive()
+            .GetAsync<AutomaticUserConfirmationPolicyRequirement>(user.Id);
+    }
+
    [Theory, BitAutoData]
    public async Task ConfirmUsersAsync_NoValid(
        [ProviderUser(ProviderUserStatusType.Invited)] ProviderUser pu1,
@ -625,13 +808,131 @@ public class ProviderServiceTests
        Assert.Equal("Invalid user.", result[2].Item2);
    }

+    [Theory, BitAutoData]
+    public async Task ConfirmUsersAsync_WithAutoConfirmEnabledAndPolicyExists_ReturnsError(
+        [ProviderUser(ProviderUserStatusType.Accepted)] ProviderUser pu1, User u1,
+        Provider provider, User confirmingUser, SutProvider<ProviderService> sutProvider)
+    {
+        // Arrange
+        pu1.ProviderId = provider.Id;
+        pu1.UserId = u1.Id;
+        var providerUsers = new[] { pu1 };
+
+        var providerUserRepository = sutProvider.GetDependency<IProviderUserRepository>();
+        providerUserRepository.GetManyAsync([]).ReturnsForAnyArgs(providerUsers);
+        sutProvider.GetDependency<IProviderRepository>().GetByIdAsync(provider.Id).Returns(provider);
+        sutProvider.GetDependency<IUserRepository>().GetManyAsync([]).ReturnsForAnyArgs([u1]);
+
+        sutProvider.GetDependency<IFeatureService>()
+            .IsEnabled(FeatureFlagKeys.AutomaticConfirmUsers)
+            .Returns(true);
+
+        var policyDetails = new List<PolicyDetails>
+        {
+            new() { OrganizationId = Guid.NewGuid(), IsProvider = false }
+        };
+        var policyRequirement = new AutomaticUserConfirmationPolicyRequirement(policyDetails);
+        sutProvider.GetDependency<IPolicyRequirementQuery>()
+            .GetAsync<AutomaticUserConfirmationPolicyRequirement>(u1.Id)
+            .Returns(policyRequirement);
+
+        var dict = providerUsers.ToDictionary(pu => pu.Id, _ => "key");
+
+        // Act
+        var result = await sutProvider.Sut.ConfirmUsersAsync(pu1.ProviderId, dict, confirmingUser.Id);
+
+        // Assert
+        Assert.Single(result);
+        Assert.Equal(new UserCannotJoinProvider().Message, result[0].Item2);
+
+        // Verify user was not confirmed
+        await providerUserRepository.DidNotReceive().ReplaceAsync(Arg.Any<ProviderUser>());
+    }
+
+    [Theory, BitAutoData]
+    public async Task ConfirmUsersAsync_WithAutoConfirmEnabledButNoPolicyExists_Success(
+        [ProviderUser(ProviderUserStatusType.Accepted)] ProviderUser pu1, User u1,
+        Provider provider, User confirmingUser, SutProvider<ProviderService> sutProvider)
+    {
+        // Arrange
+        pu1.ProviderId = provider.Id;
+        pu1.UserId = u1.Id;
+        var providerUsers = new[] { pu1 };
+
+        var providerUserRepository = sutProvider.GetDependency<IProviderUserRepository>();
+        providerUserRepository.GetManyAsync([]).ReturnsForAnyArgs(providerUsers);
+        sutProvider.GetDependency<IProviderRepository>().GetByIdAsync(provider.Id).Returns(provider);
+        sutProvider.GetDependency<IUserRepository>().GetManyAsync([]).ReturnsForAnyArgs([u1]);
+
+        sutProvider.GetDependency<IFeatureService>()
+            .IsEnabled(FeatureFlagKeys.AutomaticConfirmUsers)
+            .Returns(true);
+
+        var policyRequirement = new AutomaticUserConfirmationPolicyRequirement(new List<PolicyDetails>());
+        sutProvider.GetDependency<IPolicyRequirementQuery>()
+            .GetAsync<AutomaticUserConfirmationPolicyRequirement>(u1.Id)
+            .Returns(policyRequirement);
+
+        var dict = providerUsers.ToDictionary(pu => pu.Id, _ => "key");
+
+        // Act
+        var result = await sutProvider.Sut.ConfirmUsersAsync(pu1.ProviderId, dict, confirmingUser.Id);
+
+        // Assert
+        Assert.Single(result);
+        Assert.Equal("", result[0].Item2);
+
+        // Verify user was confirmed
+        await providerUserRepository.Received(1).ReplaceAsync(Arg.Is<ProviderUser>(pu =>
+            pu.Status == ProviderUserStatusType.Confirmed));
+    }
+
+    [Theory, BitAutoData]
+    public async Task ConfirmUsersAsync_WithAutoConfirmDisabled_Success(
+        [ProviderUser(ProviderUserStatusType.Accepted)] ProviderUser pu1, User u1,
+        Provider provider, User confirmingUser, SutProvider<ProviderService> sutProvider)
+    {
+        // Arrange
+        pu1.ProviderId = provider.Id;
+        pu1.UserId = u1.Id;
+        var providerUsers = new[] { pu1 };
+
+        var providerUserRepository = sutProvider.GetDependency<IProviderUserRepository>();
+        providerUserRepository.GetManyAsync([]).ReturnsForAnyArgs(providerUsers);
+
+        sutProvider.GetDependency<IProviderRepository>().GetByIdAsync(provider.Id).Returns(provider);
+        sutProvider.GetDependency<IUserRepository>().GetManyAsync([]).ReturnsForAnyArgs([u1]);
+
+        sutProvider.GetDependency<IFeatureService>()
+            .IsEnabled(FeatureFlagKeys.AutomaticConfirmUsers)
+            .Returns(false);
+
+        var dict = providerUsers.ToDictionary(pu => pu.Id, _ => "key");
+
+        // Act
+        var result = await sutProvider.Sut.ConfirmUsersAsync(pu1.ProviderId, dict, confirmingUser.Id);
+
+        // Assert
+        Assert.Single(result);
+        Assert.Equal("", result[0].Item2);
+
+        // Verify user was confirmed
+        await providerUserRepository.Received(1).ReplaceAsync(Arg.Is<ProviderUser>(pu =>
+            pu.Status == ProviderUserStatusType.Confirmed));
+
+        // Verify that policy check was never called when feature flag is disabled
+        await sutProvider.GetDependency<IPolicyRequirementQuery>()
+            .DidNotReceive()
+            .GetAsync<AutomaticUserConfirmationPolicyRequirement>(Arg.Any<Guid>());
+    }
+
    [Theory, BitAutoData]
    public async Task SaveUserAsync_UserIdIsInvalid_Throws(ProviderUser providerUser,
        SutProvider<ProviderService> sutProvider)
    {
-        providerUser.Id = default;
-        var exception = await Assert.ThrowsAsync<BadRequestException>(
-            () => sutProvider.Sut.SaveUserAsync(providerUser, default));
+        providerUser.Id = Guid.Empty;
+        var exception = await Assert.ThrowsAsync<BadRequestException>(() =>
+            sutProvider.Sut.SaveUserAsync(providerUser, Guid.Empty));
        Assert.Equal("Invite the user first.", exception.Message);
    }

@ -757,7 +1058,7 @@ public class ProviderServiceTests
        await organizationRepository.Received(1)
            .ReplaceAsync(Arg.Is<Organization>(org => org.BillingEmail == provider.BillingEmail));

-        await sutProvider.GetDependency<IStripeAdapter>().Received(1).CustomerUpdateAsync(
+        await sutProvider.GetDependency<IStripeAdapter>().Received(1).UpdateCustomerAsync(
            organization.GatewayCustomerId,
            Arg.Is<CustomerUpdateOptions>(options => options.Email == provider.BillingEmail));

@ -828,9 +1129,9 @@ public class ProviderServiceTests

        sutProvider.GetDependency<IOrganizationRepository>().GetByIdAsync(organization.Id).Returns(organization);
        var subscriptionItem = GetSubscription(organization.GatewaySubscriptionId);
-        sutProvider.GetDependency<IStripeAdapter>().SubscriptionGetAsync(organization.GatewaySubscriptionId)
+        sutProvider.GetDependency<IStripeAdapter>().GetSubscriptionAsync(organization.GatewaySubscriptionId)
            .Returns(GetSubscription(organization.GatewaySubscriptionId));
-        await sutProvider.GetDependency<IStripeAdapter>().SubscriptionUpdateAsync(
+        await sutProvider.GetDependency<IStripeAdapter>().UpdateSubscriptionAsync(
            organization.GatewaySubscriptionId, SubscriptionUpdateRequest(expectedPlanId, subscriptionItem));

        await sutProvider.Sut.AddOrganization(provider.Id, organization.Id, key);
--- a/bitwarden_license/test/Commercial.Core.Test/Billing/Providers/Queries/GetProviderWarningsQueryTests.cs
+++ b/bitwarden_license/test/Commercial.Core.Test/Billing/Providers/Queries/GetProviderWarningsQueryTests.cs
@ -3,7 +3,6 @@ using Bit.Core.AdminConsole.Entities.Provider;
 using Bit.Core.Billing.Constants;
 using Bit.Core.Billing.Services;
 using Bit.Core.Context;
-using Bit.Core.Services;
 using Bit.Test.Common.AutoFixture;
 using Bit.Test.Common.AutoFixture.Attributes;
 using NSubstitute;
@ -63,7 +62,7 @@ public class GetProviderWarningsQueryTests
            });

        sutProvider.GetDependency<ICurrentContext>().ProviderProviderAdmin(provider.Id).Returns(true);
-        sutProvider.GetDependency<IStripeAdapter>().TaxRegistrationsListAsync(Arg.Any<RegistrationListOptions>())
+        sutProvider.GetDependency<IStripeAdapter>().ListTaxRegistrationsAsync(Arg.Any<RegistrationListOptions>())
            .Returns(new StripeList<Registration> { Data = [] });

        var response = await sutProvider.Sut.Run(provider);
@ -95,7 +94,7 @@ public class GetProviderWarningsQueryTests
            });

        sutProvider.GetDependency<ICurrentContext>().ProviderProviderAdmin(provider.Id).Returns(true);
-        sutProvider.GetDependency<IStripeAdapter>().TaxRegistrationsListAsync(Arg.Any<RegistrationListOptions>())
+        sutProvider.GetDependency<IStripeAdapter>().ListTaxRegistrationsAsync(Arg.Any<RegistrationListOptions>())
            .Returns(new StripeList<Registration> { Data = [] });

        var response = await sutProvider.Sut.Run(provider);
@ -129,7 +128,7 @@ public class GetProviderWarningsQueryTests
            });

        sutProvider.GetDependency<ICurrentContext>().ProviderProviderAdmin(provider.Id).Returns(false);
-        sutProvider.GetDependency<IStripeAdapter>().TaxRegistrationsListAsync(Arg.Any<RegistrationListOptions>())
+        sutProvider.GetDependency<IStripeAdapter>().ListTaxRegistrationsAsync(Arg.Any<RegistrationListOptions>())
            .Returns(new StripeList<Registration> { Data = [] });

        var response = await sutProvider.Sut.Run(provider);
@ -163,7 +162,7 @@ public class GetProviderWarningsQueryTests
            });

        sutProvider.GetDependency<ICurrentContext>().ProviderProviderAdmin(provider.Id).Returns(true);
-        sutProvider.GetDependency<IStripeAdapter>().TaxRegistrationsListAsync(Arg.Any<RegistrationListOptions>())
+        sutProvider.GetDependency<IStripeAdapter>().ListTaxRegistrationsAsync(Arg.Any<RegistrationListOptions>())
            .Returns(new StripeList<Registration> { Data = [] });

        var response = await sutProvider.Sut.Run(provider);
@ -224,7 +223,7 @@ public class GetProviderWarningsQueryTests
            });

        sutProvider.GetDependency<ICurrentContext>().ProviderProviderAdmin(provider.Id).Returns(true);
-        sutProvider.GetDependency<IStripeAdapter>().TaxRegistrationsListAsync(Arg.Any<RegistrationListOptions>())
+        sutProvider.GetDependency<IStripeAdapter>().ListTaxRegistrationsAsync(Arg.Any<RegistrationListOptions>())
            .Returns(new StripeList<Registration>
            {
                Data = [new Registration { Country = "GB" }]
@ -257,7 +256,7 @@ public class GetProviderWarningsQueryTests
            });

        sutProvider.GetDependency<ICurrentContext>().ProviderProviderAdmin(provider.Id).Returns(true);
-        sutProvider.GetDependency<IStripeAdapter>().TaxRegistrationsListAsync(Arg.Any<RegistrationListOptions>())
+        sutProvider.GetDependency<IStripeAdapter>().ListTaxRegistrationsAsync(Arg.Any<RegistrationListOptions>())
            .Returns(new StripeList<Registration>
            {
                Data = [new Registration { Country = "CA" }]
@ -296,7 +295,7 @@ public class GetProviderWarningsQueryTests
            });

        sutProvider.GetDependency<ICurrentContext>().ProviderProviderAdmin(provider.Id).Returns(true);
-        sutProvider.GetDependency<IStripeAdapter>().TaxRegistrationsListAsync(Arg.Any<RegistrationListOptions>())
+        sutProvider.GetDependency<IStripeAdapter>().ListTaxRegistrationsAsync(Arg.Any<RegistrationListOptions>())
            .Returns(new StripeList<Registration>
            {
                Data = [new Registration { Country = "CA" }]
@ -338,7 +337,7 @@ public class GetProviderWarningsQueryTests
            });

        sutProvider.GetDependency<ICurrentContext>().ProviderProviderAdmin(provider.Id).Returns(true);
-        sutProvider.GetDependency<IStripeAdapter>().TaxRegistrationsListAsync(Arg.Any<RegistrationListOptions>())
+        sutProvider.GetDependency<IStripeAdapter>().ListTaxRegistrationsAsync(Arg.Any<RegistrationListOptions>())
            .Returns(new StripeList<Registration>
            {
                Data = [new Registration { Country = "CA" }]
@ -383,7 +382,7 @@ public class GetProviderWarningsQueryTests
            });

        sutProvider.GetDependency<ICurrentContext>().ProviderProviderAdmin(provider.Id).Returns(true);
-        sutProvider.GetDependency<IStripeAdapter>().TaxRegistrationsListAsync(Arg.Any<RegistrationListOptions>())
+        sutProvider.GetDependency<IStripeAdapter>().ListTaxRegistrationsAsync(Arg.Any<RegistrationListOptions>())
            .Returns(new StripeList<Registration>
            {
                Data = [new Registration { Country = "CA" }]
@ -428,7 +427,7 @@ public class GetProviderWarningsQueryTests
            });

        sutProvider.GetDependency<ICurrentContext>().ProviderProviderAdmin(provider.Id).Returns(true);
-        sutProvider.GetDependency<IStripeAdapter>().TaxRegistrationsListAsync(Arg.Any<RegistrationListOptions>())
+        sutProvider.GetDependency<IStripeAdapter>().ListTaxRegistrationsAsync(Arg.Any<RegistrationListOptions>())
            .Returns(new StripeList<Registration>
            {
                Data = [new Registration { Country = "CA" }]
@ -461,7 +460,7 @@ public class GetProviderWarningsQueryTests
            });

        sutProvider.GetDependency<ICurrentContext>().ProviderProviderAdmin(provider.Id).Returns(true);
-        sutProvider.GetDependency<IStripeAdapter>().TaxRegistrationsListAsync(Arg.Is<RegistrationListOptions>(opt => opt.Status == TaxRegistrationStatus.Active))
+        sutProvider.GetDependency<IStripeAdapter>().ListTaxRegistrationsAsync(Arg.Is<RegistrationListOptions>(opt => opt.Status == TaxRegistrationStatus.Active))
            .Returns(new StripeList<Registration>
            {
                Data = [
@ -470,7 +469,7 @@ public class GetProviderWarningsQueryTests
                    new Registration { Country = "FR" }
                ]
            });
-        sutProvider.GetDependency<IStripeAdapter>().TaxRegistrationsListAsync(Arg.Is<RegistrationListOptions>(opt => opt.Status == TaxRegistrationStatus.Scheduled))
+        sutProvider.GetDependency<IStripeAdapter>().ListTaxRegistrationsAsync(Arg.Is<RegistrationListOptions>(opt => opt.Status == TaxRegistrationStatus.Scheduled))
            .Returns(new StripeList<Registration> { Data = [] });

        var response = await sutProvider.Sut.Run(provider);
@ -505,7 +504,7 @@ public class GetProviderWarningsQueryTests
            });

        sutProvider.GetDependency<ICurrentContext>().ProviderProviderAdmin(provider.Id).Returns(true);
-        sutProvider.GetDependency<IStripeAdapter>().TaxRegistrationsListAsync(Arg.Any<RegistrationListOptions>())
+        sutProvider.GetDependency<IStripeAdapter>().ListTaxRegistrationsAsync(Arg.Any<RegistrationListOptions>())
            .Returns(new StripeList<Registration>
            {
                Data = [new Registration { Country = "CA" }]
@ -543,7 +542,7 @@ public class GetProviderWarningsQueryTests
            });

        sutProvider.GetDependency<ICurrentContext>().ProviderProviderAdmin(provider.Id).Returns(true);
-        sutProvider.GetDependency<IStripeAdapter>().TaxRegistrationsListAsync(Arg.Any<RegistrationListOptions>())
+        sutProvider.GetDependency<IStripeAdapter>().ListTaxRegistrationsAsync(Arg.Any<RegistrationListOptions>())
            .Returns(new StripeList<Registration>
            {
                Data = [new Registration { Country = "US" }]
--- a/bitwarden_license/test/Commercial.Core.Test/Billing/Providers/Services/BusinessUnitConverterTests.cs
+++ b/bitwarden_license/test/Commercial.Core.Test/Billing/Providers/Services/BusinessUnitConverterTests.cs
@ -144,11 +144,11 @@ public class BusinessUnitConverterTests

        await businessUnitConverter.FinalizeConversion(organization, userId, token, providerKey, organizationKey);

-        await _stripeAdapter.Received(2).CustomerUpdateAsync(subscription.CustomerId, Arg.Any<CustomerUpdateOptions>());
+        await _stripeAdapter.Received(2).UpdateCustomerAsync(subscription.CustomerId, Arg.Any<CustomerUpdateOptions>());

        var updatedPriceId = ProviderPriceAdapter.GetActivePriceId(provider, enterpriseAnnually.Type);

-        await _stripeAdapter.Received(1).SubscriptionUpdateAsync(subscription.Id, Arg.Is<SubscriptionUpdateOptions>(
+        await _stripeAdapter.Received(1).UpdateSubscriptionAsync(subscription.Id, Arg.Is<SubscriptionUpdateOptions>(
            arguments =>
                arguments.Items.Count == 2 &&
                arguments.Items[0].Id == "subscription_item_id" &&
--- a/bitwarden_license/test/Commercial.Core.Test/Billing/Providers/Services/ProviderBillingServiceTests.cs
+++ b/bitwarden_license/test/Commercial.Core.Test/Billing/Providers/Services/ProviderBillingServiceTests.cs
@ -20,7 +20,6 @@ using Bit.Core.Entities;
 using Bit.Core.Enums;
 using Bit.Core.Exceptions;
 using Bit.Core.Repositories;
-using Bit.Core.Services;
 using Bit.Core.Settings;
 using Bit.Core.Test.Billing.Mocks;
 using Bit.Test.Common.AutoFixture;
@ -85,7 +84,7 @@ public class ProviderBillingServiceTests

        // Assert
        await providerPlanRepository.Received(0).ReplaceAsync(Arg.Any<ProviderPlan>());
-        await stripeAdapter.Received(0).SubscriptionUpdateAsync(Arg.Any<string>(), Arg.Any<SubscriptionUpdateOptions>());
+        await stripeAdapter.Received(0).UpdateSubscriptionAsync(Arg.Any<string>(), Arg.Any<SubscriptionUpdateOptions>());
    }

    [Theory, BitAutoData]
@ -113,7 +112,7 @@ public class ProviderBillingServiceTests

        // Assert
        await providerPlanRepository.Received(0).ReplaceAsync(Arg.Any<ProviderPlan>());
-        await stripeAdapter.Received(0).SubscriptionUpdateAsync(Arg.Any<string>(), Arg.Any<SubscriptionUpdateOptions>());
+        await stripeAdapter.Received(0).UpdateSubscriptionAsync(Arg.Any<string>(), Arg.Any<SubscriptionUpdateOptions>());
    }

    [Theory, BitAutoData]
@ -180,14 +179,14 @@ public class ProviderBillingServiceTests
        var stripeAdapter = sutProvider.GetDependency<IStripeAdapter>();

        await stripeAdapter.Received(1)
-            .SubscriptionUpdateAsync(
+            .UpdateSubscriptionAsync(
                Arg.Is(provider.GatewaySubscriptionId),
                Arg.Is<SubscriptionUpdateOptions>(p =>
                    p.Items.Count(si => si.Id == "si_ent_annual" && si.Deleted == true) == 1));

        var newPlanCfg = MockPlans.Get(command.NewPlan);
        await stripeAdapter.Received(1)
-            .SubscriptionUpdateAsync(
+            .UpdateSubscriptionAsync(
                Arg.Is(provider.GatewaySubscriptionId),
                Arg.Is<SubscriptionUpdateOptions>(p =>
                    p.Items.Count(si =>
@ -268,7 +267,7 @@ public class ProviderBillingServiceTests
                CloudRegion = "US"
            });

-        sutProvider.GetDependency<IStripeAdapter>().CustomerCreateAsync(Arg.Is<CustomerCreateOptions>(
+        sutProvider.GetDependency<IStripeAdapter>().CreateCustomerAsync(Arg.Is<CustomerCreateOptions>(
                options =>
                    options.Address.Country == providerCustomer.Address.Country &&
                    options.Address.PostalCode == providerCustomer.Address.PostalCode &&
@ -288,7 +287,7 @@ public class ProviderBillingServiceTests

        await sutProvider.Sut.CreateCustomerForClientOrganization(provider, organization);

-        await sutProvider.GetDependency<IStripeAdapter>().Received(1).CustomerCreateAsync(Arg.Is<CustomerCreateOptions>(
+        await sutProvider.GetDependency<IStripeAdapter>().Received(1).CreateCustomerAsync(Arg.Is<CustomerCreateOptions>(
            options =>
                options.Address.Country == providerCustomer.Address.Country &&
                options.Address.PostalCode == providerCustomer.Address.PostalCode &&
@ -349,7 +348,7 @@ public class ProviderBillingServiceTests
                CloudRegion = "US"
            });

-        sutProvider.GetDependency<IStripeAdapter>().CustomerCreateAsync(Arg.Is<CustomerCreateOptions>(
+        sutProvider.GetDependency<IStripeAdapter>().CreateCustomerAsync(Arg.Is<CustomerCreateOptions>(
                options =>
                    options.Address.Country == providerCustomer.Address.Country &&
                    options.Address.PostalCode == providerCustomer.Address.PostalCode &&
@ -370,7 +369,7 @@ public class ProviderBillingServiceTests

        await sutProvider.Sut.CreateCustomerForClientOrganization(provider, organization);

-        await sutProvider.GetDependency<IStripeAdapter>().Received(1).CustomerCreateAsync(Arg.Is<CustomerCreateOptions>(
+        await sutProvider.GetDependency<IStripeAdapter>().Received(1).CreateCustomerAsync(Arg.Is<CustomerCreateOptions>(
            options =>
                options.Address.Country == providerCustomer.Address.Country &&
                options.Address.PostalCode == providerCustomer.Address.PostalCode &&
@ -535,7 +534,7 @@ public class ProviderBillingServiceTests
        await sutProvider.Sut.ScaleSeats(provider, PlanType.TeamsMonthly, 10);

        // 50 assigned seats + 10 seat scale up = 60 seats, well below the 100 minimum
-        await sutProvider.GetDependency<IStripeAdapter>().DidNotReceiveWithAnyArgs().SubscriptionUpdateAsync(
+        await sutProvider.GetDependency<IStripeAdapter>().DidNotReceiveWithAnyArgs().UpdateSubscriptionAsync(
            Arg.Any<string>(),
            Arg.Any<SubscriptionUpdateOptions>());

@ -619,7 +618,7 @@ public class ProviderBillingServiceTests
        await sutProvider.Sut.ScaleSeats(provider, PlanType.TeamsMonthly, 10);

        // 95 current + 10 seat scale = 105 seats, 5 above the minimum
-        await sutProvider.GetDependency<IStripeAdapter>().Received(1).SubscriptionUpdateAsync(
+        await sutProvider.GetDependency<IStripeAdapter>().Received(1).UpdateSubscriptionAsync(
            provider.GatewaySubscriptionId,
            Arg.Is<SubscriptionUpdateOptions>(
                options =>
@ -707,7 +706,7 @@ public class ProviderBillingServiceTests
        await sutProvider.Sut.ScaleSeats(provider, PlanType.TeamsMonthly, 10);

        // 110 current + 10 seat scale up = 120 seats
-        await sutProvider.GetDependency<IStripeAdapter>().Received(1).SubscriptionUpdateAsync(
+        await sutProvider.GetDependency<IStripeAdapter>().Received(1).UpdateSubscriptionAsync(
            provider.GatewaySubscriptionId,
            Arg.Is<SubscriptionUpdateOptions>(
                options =>
@ -795,7 +794,7 @@ public class ProviderBillingServiceTests
        await sutProvider.Sut.ScaleSeats(provider, PlanType.TeamsMonthly, -30);

        // 110 seats - 30 scale down seats = 80 seats, below the 100 seat minimum.
-        await sutProvider.GetDependency<IStripeAdapter>().Received(1).SubscriptionUpdateAsync(
+        await sutProvider.GetDependency<IStripeAdapter>().Received(1).UpdateSubscriptionAsync(
            provider.GatewaySubscriptionId,
            Arg.Is<SubscriptionUpdateOptions>(
                options =>
@ -914,12 +913,12 @@ public class ProviderBillingServiceTests
        var stripeAdapter = sutProvider.GetDependency<IStripeAdapter>();
        var tokenizedPaymentMethod = new TokenizedPaymentMethod { Type = TokenizablePaymentMethodType.BankAccount, Token = "token" };

-        stripeAdapter.SetupIntentList(Arg.Is<SetupIntentListOptions>(options =>
+        stripeAdapter.ListSetupIntentsAsync(Arg.Is<SetupIntentListOptions>(options =>
            options.PaymentMethod == tokenizedPaymentMethod.Token)).Returns([
            new SetupIntent { Id = "setup_intent_id" }
        ]);

-        stripeAdapter.CustomerCreateAsync(Arg.Is<CustomerCreateOptions>(o =>
+        stripeAdapter.CreateCustomerAsync(Arg.Is<CustomerCreateOptions>(o =>
                o.Address.Country == billingAddress.Country &&
                o.Address.PostalCode == billingAddress.PostalCode &&
                o.Address.Line1 == billingAddress.Line1 &&
@ -942,7 +941,7 @@ public class ProviderBillingServiceTests

        await sutProvider.GetDependency<ISetupIntentCache>().Received(1).Set(provider.Id, "setup_intent_id");

-        await stripeAdapter.Received(1).SetupIntentCancel("setup_intent_id", Arg.Is<SetupIntentCancelOptions>(options =>
+        await stripeAdapter.Received(1).CancelSetupIntentAsync("setup_intent_id", Arg.Is<SetupIntentCancelOptions>(options =>
            options.CancellationReason == "abandoned"));

        await sutProvider.GetDependency<ISetupIntentCache>().Received(1).RemoveSetupIntentForSubscriber(provider.Id);
@ -964,7 +963,7 @@ public class ProviderBillingServiceTests
        sutProvider.GetDependency<ISubscriberService>().CreateBraintreeCustomer(provider, tokenizedPaymentMethod.Token)
            .Returns("braintree_customer_id");

-        stripeAdapter.CustomerCreateAsync(Arg.Is<CustomerCreateOptions>(o =>
+        stripeAdapter.CreateCustomerAsync(Arg.Is<CustomerCreateOptions>(o =>
                o.Address.Country == billingAddress.Country &&
                o.Address.PostalCode == billingAddress.PostalCode &&
                o.Address.Line1 == billingAddress.Line1 &&
@ -1007,12 +1006,12 @@ public class ProviderBillingServiceTests

        var tokenizedPaymentMethod = new TokenizedPaymentMethod { Type = TokenizablePaymentMethodType.BankAccount, Token = "token" };

-        stripeAdapter.SetupIntentList(Arg.Is<SetupIntentListOptions>(options =>
+        stripeAdapter.ListSetupIntentsAsync(Arg.Is<SetupIntentListOptions>(options =>
            options.PaymentMethod == tokenizedPaymentMethod.Token)).Returns([
            new SetupIntent { Id = "setup_intent_id" }
        ]);

-        stripeAdapter.CustomerCreateAsync(Arg.Is<CustomerCreateOptions>(o =>
+        stripeAdapter.CreateCustomerAsync(Arg.Is<CustomerCreateOptions>(o =>
                o.Address.Country == billingAddress.Country &&
                o.Address.PostalCode == billingAddress.PostalCode &&
                o.Address.Line1 == billingAddress.Line1 &&
@ -1058,7 +1057,7 @@ public class ProviderBillingServiceTests
        sutProvider.GetDependency<ISubscriberService>().CreateBraintreeCustomer(provider, tokenizedPaymentMethod.Token)
            .Returns("braintree_customer_id");

-        stripeAdapter.CustomerCreateAsync(Arg.Is<CustomerCreateOptions>(o =>
+        stripeAdapter.CreateCustomerAsync(Arg.Is<CustomerCreateOptions>(o =>
                o.Address.Country == billingAddress.Country &&
                o.Address.PostalCode == billingAddress.PostalCode &&
                o.Address.Line1 == billingAddress.Line1 &&
@ -1100,7 +1099,7 @@ public class ProviderBillingServiceTests

        var tokenizedPaymentMethod = new TokenizedPaymentMethod { Type = TokenizablePaymentMethodType.Card, Token = "token" };

-        stripeAdapter.CustomerCreateAsync(Arg.Is<CustomerCreateOptions>(o =>
+        stripeAdapter.CreateCustomerAsync(Arg.Is<CustomerCreateOptions>(o =>
                o.Address.Country == billingAddress.Country &&
                o.Address.PostalCode == billingAddress.PostalCode &&
                o.Address.Line1 == billingAddress.Line1 &&
@ -1142,7 +1141,7 @@ public class ProviderBillingServiceTests

        var tokenizedPaymentMethod = new TokenizedPaymentMethod { Type = TokenizablePaymentMethodType.Card, Token = "token" };

-        stripeAdapter.CustomerCreateAsync(Arg.Is<CustomerCreateOptions>(o =>
+        stripeAdapter.CreateCustomerAsync(Arg.Is<CustomerCreateOptions>(o =>
                o.Address.Country == billingAddress.Country &&
                o.Address.PostalCode == billingAddress.PostalCode &&
                o.Address.Line1 == billingAddress.Line1 &&
@ -1178,7 +1177,7 @@ public class ProviderBillingServiceTests
        var stripeAdapter = sutProvider.GetDependency<IStripeAdapter>();
        var tokenizedPaymentMethod = new TokenizedPaymentMethod { Type = TokenizablePaymentMethodType.Card, Token = "token" };

-        stripeAdapter.CustomerCreateAsync(Arg.Any<CustomerCreateOptions>())
+        stripeAdapter.CreateCustomerAsync(Arg.Any<CustomerCreateOptions>())
            .Throws(new StripeException("Invalid tax ID") { StripeError = new StripeError { Code = "tax_id_invalid" } });

        var actual = await Assert.ThrowsAsync<BadRequestException>(async () =>
@ -1216,7 +1215,7 @@ public class ProviderBillingServiceTests

        await sutProvider.GetDependency<IStripeAdapter>()
            .DidNotReceiveWithAnyArgs()
-            .SubscriptionCreateAsync(Arg.Any<SubscriptionCreateOptions>());
+            .CreateSubscriptionAsync(Arg.Any<SubscriptionCreateOptions>());
    }

    [Theory, BitAutoData]
@ -1244,7 +1243,7 @@ public class ProviderBillingServiceTests

        await sutProvider.GetDependency<IStripeAdapter>()
            .DidNotReceiveWithAnyArgs()
-            .SubscriptionCreateAsync(Arg.Any<SubscriptionCreateOptions>());
+            .CreateSubscriptionAsync(Arg.Any<SubscriptionCreateOptions>());
    }

    [Theory, BitAutoData]
@ -1272,7 +1271,7 @@ public class ProviderBillingServiceTests

        await sutProvider.GetDependency<IStripeAdapter>()
            .DidNotReceiveWithAnyArgs()
-            .SubscriptionCreateAsync(Arg.Any<SubscriptionCreateOptions>());
+            .CreateSubscriptionAsync(Arg.Any<SubscriptionCreateOptions>());
    }

    [Theory, BitAutoData]
@ -1323,7 +1322,7 @@ public class ProviderBillingServiceTests
        sutProvider.GetDependency<IProviderPlanRepository>().GetByProviderId(provider.Id)
            .Returns(providerPlans);

-        sutProvider.GetDependency<IStripeAdapter>().SubscriptionCreateAsync(Arg.Any<SubscriptionCreateOptions>())
+        sutProvider.GetDependency<IStripeAdapter>().CreateSubscriptionAsync(Arg.Any<SubscriptionCreateOptions>())
            .Returns(
                new Subscription { Id = "subscription_id", Status = StripeConstants.SubscriptionStatus.Incomplete });

@ -1381,7 +1380,7 @@ public class ProviderBillingServiceTests

        var expected = new Subscription { Id = "subscription_id", Status = StripeConstants.SubscriptionStatus.Active };

-        sutProvider.GetDependency<IStripeAdapter>().SubscriptionCreateAsync(Arg.Is<SubscriptionCreateOptions>(
+        sutProvider.GetDependency<IStripeAdapter>().CreateSubscriptionAsync(Arg.Is<SubscriptionCreateOptions>(
            sub =>
                sub.AutomaticTax.Enabled == true &&
                sub.CollectionMethod == StripeConstants.CollectionMethod.SendInvoice &&
@ -1458,7 +1457,7 @@ public class ProviderBillingServiceTests
        var expected = new Subscription { Id = "subscription_id", Status = StripeConstants.SubscriptionStatus.Active };


-        sutProvider.GetDependency<IStripeAdapter>().SubscriptionCreateAsync(Arg.Is<SubscriptionCreateOptions>(
+        sutProvider.GetDependency<IStripeAdapter>().CreateSubscriptionAsync(Arg.Is<SubscriptionCreateOptions>(
            sub =>
                sub.AutomaticTax.Enabled == true &&
                sub.CollectionMethod == StripeConstants.CollectionMethod.ChargeAutomatically &&
@ -1538,7 +1537,7 @@ public class ProviderBillingServiceTests

        sutProvider.GetDependency<ISetupIntentCache>().GetSetupIntentIdForSubscriber(provider.Id).Returns(setupIntentId);

-        sutProvider.GetDependency<IStripeAdapter>().SetupIntentGet(setupIntentId, Arg.Is<SetupIntentGetOptions>(options =>
+        sutProvider.GetDependency<IStripeAdapter>().GetSetupIntentAsync(setupIntentId, Arg.Is<SetupIntentGetOptions>(options =>
            options.Expand.Contains("payment_method"))).Returns(new SetupIntent
            {
                Id = setupIntentId,
@ -1553,7 +1552,7 @@ public class ProviderBillingServiceTests
                }
            });

-        sutProvider.GetDependency<IStripeAdapter>().SubscriptionCreateAsync(Arg.Is<SubscriptionCreateOptions>(
+        sutProvider.GetDependency<IStripeAdapter>().CreateSubscriptionAsync(Arg.Is<SubscriptionCreateOptions>(
            sub =>
                sub.AutomaticTax.Enabled == true &&
                sub.CollectionMethod == StripeConstants.CollectionMethod.ChargeAutomatically &&
@ -1635,7 +1634,7 @@ public class ProviderBillingServiceTests
        var expected = new Subscription { Id = "subscription_id", Status = StripeConstants.SubscriptionStatus.Active };


-        sutProvider.GetDependency<IStripeAdapter>().SubscriptionCreateAsync(Arg.Is<SubscriptionCreateOptions>(
+        sutProvider.GetDependency<IStripeAdapter>().CreateSubscriptionAsync(Arg.Is<SubscriptionCreateOptions>(
            sub =>
                sub.AutomaticTax.Enabled == true &&
                sub.CollectionMethod == StripeConstants.CollectionMethod.ChargeAutomatically &&
@ -1713,7 +1712,7 @@ public class ProviderBillingServiceTests
        var expected = new Subscription { Id = "subscription_id", Status = StripeConstants.SubscriptionStatus.Active };


-        sutProvider.GetDependency<IStripeAdapter>().SubscriptionCreateAsync(Arg.Is<SubscriptionCreateOptions>(
+        sutProvider.GetDependency<IStripeAdapter>().CreateSubscriptionAsync(Arg.Is<SubscriptionCreateOptions>(
            sub =>
                sub.AutomaticTax.Enabled == true &&
                sub.CollectionMethod == StripeConstants.CollectionMethod.ChargeAutomatically &&
@ -1828,7 +1827,7 @@ public class ProviderBillingServiceTests
        await providerPlanRepository.Received(1).ReplaceAsync(Arg.Is<ProviderPlan>(
            providerPlan => providerPlan.PlanType == PlanType.TeamsMonthly && providerPlan.SeatMinimum == 20 && providerPlan.PurchasedSeats == 5));

-        await stripeAdapter.Received(1).SubscriptionUpdateAsync(provider.GatewaySubscriptionId,
+        await stripeAdapter.Received(1).UpdateSubscriptionAsync(provider.GatewaySubscriptionId,
            Arg.Is<SubscriptionUpdateOptions>(
                options =>
                    options.Items.Count == 2 &&
@ -1908,7 +1907,7 @@ public class ProviderBillingServiceTests
        await providerPlanRepository.Received(1).ReplaceAsync(Arg.Is<ProviderPlan>(
            providerPlan => providerPlan.PlanType == PlanType.TeamsMonthly && providerPlan.SeatMinimum == 50));

-        await stripeAdapter.Received(1).SubscriptionUpdateAsync(provider.GatewaySubscriptionId,
+        await stripeAdapter.Received(1).UpdateSubscriptionAsync(provider.GatewaySubscriptionId,
            Arg.Is<SubscriptionUpdateOptions>(
                options =>
                    options.Items.Count == 2 &&
@ -1989,7 +1988,7 @@ public class ProviderBillingServiceTests
            providerPlan => providerPlan.PlanType == PlanType.TeamsMonthly && providerPlan.SeatMinimum == 60 && providerPlan.PurchasedSeats == 10));

        await stripeAdapter.DidNotReceiveWithAnyArgs()
-            .SubscriptionUpdateAsync(Arg.Any<string>(), Arg.Any<SubscriptionUpdateOptions>());
+            .UpdateSubscriptionAsync(Arg.Any<string>(), Arg.Any<SubscriptionUpdateOptions>());
    }

    [Theory, BitAutoData]
@ -2062,7 +2061,7 @@ public class ProviderBillingServiceTests
        await providerPlanRepository.Received(1).ReplaceAsync(Arg.Is<ProviderPlan>(
            providerPlan => providerPlan.PlanType == PlanType.TeamsMonthly && providerPlan.SeatMinimum == 80 && providerPlan.PurchasedSeats == 0));

-        await stripeAdapter.Received(1).SubscriptionUpdateAsync(provider.GatewaySubscriptionId,
+        await stripeAdapter.Received(1).UpdateSubscriptionAsync(provider.GatewaySubscriptionId,
            Arg.Is<SubscriptionUpdateOptions>(
                options =>
                    options.Items.Count == 2 &&
@ -2142,7 +2141,7 @@ public class ProviderBillingServiceTests
        await providerPlanRepository.DidNotReceive().ReplaceAsync(Arg.Is<ProviderPlan>(
            providerPlan => providerPlan.PlanType == PlanType.TeamsMonthly));

-        await stripeAdapter.Received(1).SubscriptionUpdateAsync(provider.GatewaySubscriptionId,
+        await stripeAdapter.Received(1).UpdateSubscriptionAsync(provider.GatewaySubscriptionId,
            Arg.Is<SubscriptionUpdateOptions>(
                options =>
                    options.Items.Count == 1 &&
@ -2151,4 +2150,151 @@ public class ProviderBillingServiceTests
    }

    #endregion
+
+    #region UpdateProviderNameAndEmail
+
+    [Theory, BitAutoData]
+    public async Task UpdateProviderNameAndEmail_NullGatewayCustomerId_LogsWarningAndReturns(
+        Provider provider,
+        SutProvider<ProviderBillingService> sutProvider)
+    {
+        // Arrange
+        provider.GatewayCustomerId = null;
+        var stripeAdapter = sutProvider.GetDependency<IStripeAdapter>();
+
+        // Act
+        await sutProvider.Sut.UpdateProviderNameAndEmail(provider);
+
+        // Assert
+        await stripeAdapter.DidNotReceive().UpdateCustomerAsync(
+            Arg.Any<string>(),
+            Arg.Any<CustomerUpdateOptions>());
+    }
+
+    [Theory, BitAutoData]
+    public async Task UpdateProviderNameAndEmail_EmptyGatewayCustomerId_LogsWarningAndReturns(
+        Provider provider,
+        SutProvider<ProviderBillingService> sutProvider)
+    {
+        // Arrange
+        provider.GatewayCustomerId = "";
+        var stripeAdapter = sutProvider.GetDependency<IStripeAdapter>();
+
+        // Act
+        await sutProvider.Sut.UpdateProviderNameAndEmail(provider);
+
+        // Assert
+        await stripeAdapter.DidNotReceive().UpdateCustomerAsync(
+            Arg.Any<string>(),
+            Arg.Any<CustomerUpdateOptions>());
+    }
+
+    [Theory, BitAutoData]
+    public async Task UpdateProviderNameAndEmail_NullProviderName_LogsWarningAndReturns(
+        Provider provider,
+        SutProvider<ProviderBillingService> sutProvider)
+    {
+        // Arrange
+        provider.Name = null;
+        provider.GatewayCustomerId = "cus_test123";
+        var stripeAdapter = sutProvider.GetDependency<IStripeAdapter>();
+
+        // Act
+        await sutProvider.Sut.UpdateProviderNameAndEmail(provider);
+
+        // Assert
+        await stripeAdapter.DidNotReceive().UpdateCustomerAsync(
+            Arg.Any<string>(),
+            Arg.Any<CustomerUpdateOptions>());
+    }
+
+    [Theory, BitAutoData]
+    public async Task UpdateProviderNameAndEmail_EmptyProviderName_LogsWarningAndReturns(
+        Provider provider,
+        SutProvider<ProviderBillingService> sutProvider)
+    {
+        // Arrange
+        provider.Name = "";
+        provider.GatewayCustomerId = "cus_test123";
+        var stripeAdapter = sutProvider.GetDependency<IStripeAdapter>();
+
+        // Act
+        await sutProvider.Sut.UpdateProviderNameAndEmail(provider);
+
+        // Assert
+        await stripeAdapter.DidNotReceive().UpdateCustomerAsync(
+            Arg.Any<string>(),
+            Arg.Any<CustomerUpdateOptions>());
+    }
+
+    [Theory, BitAutoData]
+    public async Task UpdateProviderNameAndEmail_ValidProvider_CallsStripeWithCorrectParameters(
+        Provider provider,
+        SutProvider<ProviderBillingService> sutProvider)
+    {
+        // Arrange
+        provider.Name = "Test Provider";
+        provider.BillingEmail = "billing@test.com";
+        provider.GatewayCustomerId = "cus_test123";
+        var stripeAdapter = sutProvider.GetDependency<IStripeAdapter>();
+
+        // Act
+        await sutProvider.Sut.UpdateProviderNameAndEmail(provider);
+
+        // Assert
+        await stripeAdapter.Received(1).UpdateCustomerAsync(
+            provider.GatewayCustomerId,
+            Arg.Is<CustomerUpdateOptions>(options =>
+                options.Email == provider.BillingEmail &&
+                options.Description == provider.Name &&
+                options.InvoiceSettings.CustomFields.Count == 1 &&
+                options.InvoiceSettings.CustomFields[0].Name == "Provider" &&
+                options.InvoiceSettings.CustomFields[0].Value == provider.Name));
+    }
+
+    [Theory, BitAutoData]
+    public async Task UpdateProviderNameAndEmail_LongProviderName_UsesFullName(
+        Provider provider,
+        SutProvider<ProviderBillingService> sutProvider)
+    {
+        // Arrange
+        var longName = new string('A', 50); // 50 characters
+        provider.Name = longName;
+        provider.BillingEmail = "billing@test.com";
+        provider.GatewayCustomerId = "cus_test123";
+        var stripeAdapter = sutProvider.GetDependency<IStripeAdapter>();
+
+        // Act
+        await sutProvider.Sut.UpdateProviderNameAndEmail(provider);
+
+        // Assert
+        await stripeAdapter.Received(1).UpdateCustomerAsync(
+            provider.GatewayCustomerId,
+            Arg.Is<CustomerUpdateOptions>(options =>
+                options.InvoiceSettings.CustomFields[0].Value == longName));
+    }
+
+    [Theory, BitAutoData]
+    public async Task UpdateProviderNameAndEmail_NullBillingEmail_UpdatesWithNull(
+        Provider provider,
+        SutProvider<ProviderBillingService> sutProvider)
+    {
+        // Arrange
+        provider.Name = "Test Provider";
+        provider.BillingEmail = null;
+        provider.GatewayCustomerId = "cus_test123";
+        var stripeAdapter = sutProvider.GetDependency<IStripeAdapter>();
+
+        // Act
+        await sutProvider.Sut.UpdateProviderNameAndEmail(provider);
+
+        // Assert
+        await stripeAdapter.Received(1).UpdateCustomerAsync(
+            provider.GatewayCustomerId,
+            Arg.Is<CustomerUpdateOptions>(options =>
+                options.Email == null &&
+                options.Description == provider.Name));
+    }
+
+    #endregion
 }
--- a/bitwarden_license/test/Commercial.Core.Test/SecretsManager/Repositories/SecretVersionRepositoryTests.cs
+++ b/bitwarden_license/test/Commercial.Core.Test/SecretsManager/Repositories/SecretVersionRepositoryTests.cs
@ -0,0 +1,130 @@
+using Bit.Core.SecretsManager.Entities;
+using Bit.Test.Common.AutoFixture.Attributes;
+using Xunit;
+
+namespace Bit.Commercial.Core.Test.SecretsManager.Repositories;
+
+public class SecretVersionRepositoryTests
+{
+    [Theory]
+    [BitAutoData]
+    public void SecretVersion_EntityCreation_Success(SecretVersion secretVersion)
+    {
+        // Arrange & Act
+        secretVersion.SetNewId();
+
+        // Assert
+        Assert.NotEqual(Guid.Empty, secretVersion.Id);
+        Assert.NotEqual(Guid.Empty, secretVersion.SecretId);
+        Assert.NotNull(secretVersion.Value);
+        Assert.NotEqual(default, secretVersion.VersionDate);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public void SecretVersion_WithServiceAccountEditor_Success(SecretVersion secretVersion, Guid serviceAccountId)
+    {
+        // Arrange & Act
+        secretVersion.EditorServiceAccountId = serviceAccountId;
+        secretVersion.EditorOrganizationUserId = null;
+
+        // Assert
+        Assert.Equal(serviceAccountId, secretVersion.EditorServiceAccountId);
+        Assert.Null(secretVersion.EditorOrganizationUserId);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public void SecretVersion_WithOrganizationUserEditor_Success(SecretVersion secretVersion, Guid organizationUserId)
+    {
+        // Arrange & Act
+        secretVersion.EditorOrganizationUserId = organizationUserId;
+        secretVersion.EditorServiceAccountId = null;
+
+        // Assert
+        Assert.Equal(organizationUserId, secretVersion.EditorOrganizationUserId);
+        Assert.Null(secretVersion.EditorServiceAccountId);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public void SecretVersion_NullableEditors_Success(SecretVersion secretVersion)
+    {
+        // Arrange & Act
+        secretVersion.EditorServiceAccountId = null;
+        secretVersion.EditorOrganizationUserId = null;
+
+        // Assert
+        Assert.Null(secretVersion.EditorServiceAccountId);
+        Assert.Null(secretVersion.EditorOrganizationUserId);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public void SecretVersion_VersionDateSet_Success(SecretVersion secretVersion)
+    {
+        // Arrange
+        var versionDate = DateTime.UtcNow;
+
+        // Act
+        secretVersion.VersionDate = versionDate;
+
+        // Assert
+        Assert.Equal(versionDate, secretVersion.VersionDate);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public void SecretVersion_ValueEncrypted_Success(SecretVersion secretVersion, string encryptedValue)
+    {
+        // Arrange & Act
+        secretVersion.Value = encryptedValue;
+
+        // Assert
+        Assert.Equal(encryptedValue, secretVersion.Value);
+        Assert.NotEmpty(secretVersion.Value);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public void SecretVersion_MultipleVersions_DifferentIds(List<SecretVersion> secretVersions, Guid secretId)
+    {
+        // Arrange & Act
+        foreach (var version in secretVersions)
+        {
+            version.SecretId = secretId;
+            version.SetNewId();
+        }
+
+        // Assert
+        var distinctIds = secretVersions.Select(v => v.Id).Distinct();
+        Assert.Equal(secretVersions.Count, distinctIds.Count());
+        Assert.All(secretVersions, v => Assert.Equal(secretId, v.SecretId));
+    }
+
+    [Theory]
+    [BitAutoData]
+    public void SecretVersion_VersionDateOrdering_Success(SecretVersion version1, SecretVersion version2, SecretVersion version3, Guid secretId)
+    {
+        // Arrange
+        var now = DateTime.UtcNow;
+        version1.SecretId = secretId;
+        version1.VersionDate = now.AddDays(-2);
+
+        version2.SecretId = secretId;
+        version2.VersionDate = now.AddDays(-1);
+
+        version3.SecretId = secretId;
+        version3.VersionDate = now;
+
+        var versions = new List<SecretVersion> { version2, version3, version1 };
+
+        // Act
+        var orderedVersions = versions.OrderByDescending(v => v.VersionDate).ToList();
+
+        // Assert
+        Assert.Equal(version3.Id, orderedVersions[0].Id); // Most recent
+        Assert.Equal(version2.Id, orderedVersions[1].Id);
+        Assert.Equal(version1.Id, orderedVersions[2].Id); // Oldest
+    }
+}
--- a/bitwarden_license/test/SSO.Test/Controllers/AccountControllerTest.cs
+++ b/bitwarden_license/test/SSO.Test/Controllers/AccountControllerTest.cs
@ -3,13 +3,14 @@ using System.Security.Claims;
 using Bit.Core;
 using Bit.Core.AdminConsole.Entities;
 using Bit.Core.Auth.Entities;
+using Bit.Core.Auth.Models.Business.Tokenables;
 using Bit.Core.Auth.Models.Data;
 using Bit.Core.Auth.Repositories;
-using Bit.Core.Auth.UserFeatures.Registration;
 using Bit.Core.Entities;
 using Bit.Core.Enums;
 using Bit.Core.Repositories;
 using Bit.Core.Services;
+using Bit.Core.Tokens;
 using Bit.Sso.Controllers;
 using Bit.Test.Common.AutoFixture;
 using Bit.Test.Common.AutoFixture.Attributes;
@ -19,7 +20,6 @@ using Duende.IdentityServer.Models;
 using Duende.IdentityServer.Services;
 using Microsoft.AspNetCore.Authentication;
 using Microsoft.AspNetCore.Http;
-using Microsoft.AspNetCore.Identity;
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.Extensions.DependencyInjection;
 using NSubstitute;
@ -1012,129 +1012,127 @@ public class AccountControllerTest
    }

    [Theory, BitAutoData]
-    public async Task AutoProvisionUserAsync_WithFeatureFlagEnabled_CallsRegisterSSOAutoProvisionedUser(
-        SutProvider<AccountController> sutProvider)
+    public void ExternalChallenge_WithMatchingOrgId_Succeeds(
+        SutProvider<AccountController> sutProvider,
+        Organization organization)
    {
        // Arrange
-        var orgId = Guid.NewGuid();
-        var providerUserId = "ext-new-user";
-        var email = "newuser@example.com";
-        var organization = new Organization { Id = orgId, Name = "Test Org", Seats = null };
+        var orgId = organization.Id;
+        var scheme = orgId.ToString();
+        var returnUrl = "~/vault";
+        var state = "test-state";
+        var userIdentifier = "user-123";
+        var ssoToken = "valid-sso-token";

-        // No existing user (JIT provisioning scenario)
-        sutProvider.GetDependency<IUserRepository>().GetByEmailAsync(email).Returns((User?)null);
-        sutProvider.GetDependency<IOrganizationRepository>().GetByIdAsync(orgId).Returns(organization);
-        sutProvider.GetDependency<IOrganizationUserRepository>().GetByOrganizationEmailAsync(orgId, email)
-            .Returns((OrganizationUser?)null);
+        // Mock the data protector to return a tokenable with matching org ID
+        var dataProtector = sutProvider.GetDependency<IDataProtectorTokenFactory<SsoTokenable>>();
+        var tokenable = new SsoTokenable(organization, 3600);
+        dataProtector.Unprotect(ssoToken).Returns(tokenable);

-        // Feature flag enabled
-        sutProvider.GetDependency<IFeatureService>()
-            .IsEnabled(FeatureFlagKeys.MjmlWelcomeEmailTemplates)
-            .Returns(true);
+        // Mock URL helper for IsLocalUrl check
+        var urlHelper = Substitute.For<IUrlHelper>();
+        urlHelper.IsLocalUrl(returnUrl).Returns(true);
+        sutProvider.Sut.Url = urlHelper;

-        // Mock the RegisterSSOAutoProvisionedUserAsync to return success
-        sutProvider.GetDependency<IRegisterUserCommand>()
-            .RegisterSSOAutoProvisionedUserAsync(Arg.Any<User>(), Arg.Any<Organization>())
-            .Returns(IdentityResult.Success);
-
-        var claims = new[]
-        {
-            new Claim(JwtClaimTypes.Email, email),
-            new Claim(JwtClaimTypes.Name, "New User")
-        } as IEnumerable<Claim>;
-        var config = new SsoConfigurationData();
-
-        var method = typeof(AccountController).GetMethod(
-            "CreateUserAndOrgUserConditionallyAsync",
-            BindingFlags.Instance | BindingFlags.NonPublic);
-        Assert.NotNull(method);
+        // Mock interaction service for IsValidReturnUrl check
+        var interactionService = sutProvider.GetDependency<IIdentityServerInteractionService>();
+        interactionService.IsValidReturnUrl(returnUrl).Returns(true);

        // Act
-        var task = (Task<(User user, Organization organization, OrganizationUser orgUser)>)method!.Invoke(
-            sutProvider.Sut,
-            new object[]
-            {
-                orgId.ToString(),
-                providerUserId,
-                claims,
-                null!,
-                config
-            })!;
-
-        var result = await task;
+        var result = sutProvider.Sut.ExternalChallenge(scheme, returnUrl, state, userIdentifier, ssoToken);

        // Assert
-        await sutProvider.GetDependency<IRegisterUserCommand>().Received(1)
-            .RegisterSSOAutoProvisionedUserAsync(
-                Arg.Is<User>(u => u.Email == email && u.Name == "New User"),
-                Arg.Is<Organization>(o => o.Id == orgId && o.Name == "Test Org"));
-
-        Assert.NotNull(result.user);
-        Assert.Equal(email, result.user.Email);
-        Assert.Equal(organization.Id, result.organization.Id);
+        var challengeResult = Assert.IsType<ChallengeResult>(result);
+        Assert.Contains(scheme, challengeResult.AuthenticationSchemes);
+        Assert.NotNull(challengeResult.Properties);
+        Assert.Equal(scheme, challengeResult.Properties.Items["scheme"]);
+        Assert.Equal(returnUrl, challengeResult.Properties.Items["return_url"]);
+        Assert.Equal(state, challengeResult.Properties.Items["state"]);
+        Assert.Equal(userIdentifier, challengeResult.Properties.Items["user_identifier"]);
    }

    [Theory, BitAutoData]
-    public async Task AutoProvisionUserAsync_WithFeatureFlagDisabled_CallsRegisterUserInstead(
+    public void ExternalChallenge_WithMismatchedOrgId_ThrowsSsoOrganizationIdMismatch(
+        SutProvider<AccountController> sutProvider,
+        Organization organization)
+    {
+        // Arrange
+        var correctOrgId = organization.Id;
+        var wrongOrgId = Guid.NewGuid();
+        var scheme = wrongOrgId.ToString(); // Different from tokenable's org ID
+        var returnUrl = "~/vault";
+        var state = "test-state";
+        var userIdentifier = "user-123";
+        var ssoToken = "valid-sso-token";
+
+        // Mock the data protector to return a tokenable with different org ID
+        var dataProtector = sutProvider.GetDependency<IDataProtectorTokenFactory<SsoTokenable>>();
+        var tokenable = new SsoTokenable(organization, 3600); // Contains correctOrgId
+        dataProtector.Unprotect(ssoToken).Returns(tokenable);
+
+        // Mock i18n service to return the key
+        sutProvider.GetDependency<II18nService>()
+            .T(Arg.Any<string>())
+            .Returns(ci => (string)ci[0]!);
+
+        // Act & Assert
+        var ex = Assert.Throws<Exception>(() =>
+            sutProvider.Sut.ExternalChallenge(scheme, returnUrl, state, userIdentifier, ssoToken));
+        Assert.Equal("SsoOrganizationIdMismatch", ex.Message);
+    }
+
+    [Theory, BitAutoData]
+    public void ExternalChallenge_WithInvalidSchemeFormat_ThrowsSsoOrganizationIdMismatch(
+        SutProvider<AccountController> sutProvider,
+        Organization organization)
+    {
+        // Arrange
+        var scheme = "not-a-valid-guid";
+        var returnUrl = "~/vault";
+        var state = "test-state";
+        var userIdentifier = "user-123";
+        var ssoToken = "valid-sso-token";
+
+        // Mock the data protector to return a valid tokenable
+        var dataProtector = sutProvider.GetDependency<IDataProtectorTokenFactory<SsoTokenable>>();
+        var tokenable = new SsoTokenable(organization, 3600);
+        dataProtector.Unprotect(ssoToken).Returns(tokenable);
+
+        // Mock i18n service to return the key
+        sutProvider.GetDependency<II18nService>()
+            .T(Arg.Any<string>())
+            .Returns(ci => (string)ci[0]!);
+
+        // Act & Assert
+        var ex = Assert.Throws<Exception>(() =>
+            sutProvider.Sut.ExternalChallenge(scheme, returnUrl, state, userIdentifier, ssoToken));
+        Assert.Equal("SsoOrganizationIdMismatch", ex.Message);
+    }
+
+    [Theory, BitAutoData]
+    public void ExternalChallenge_WithInvalidSsoToken_ThrowsInvalidSsoToken(
        SutProvider<AccountController> sutProvider)
    {
        // Arrange
        var orgId = Guid.NewGuid();
-        var providerUserId = "ext-legacy-user";
-        var email = "legacyuser@example.com";
-        var organization = new Organization { Id = orgId, Name = "Test Org", Seats = null };
+        var scheme = orgId.ToString();
+        var returnUrl = "~/vault";
+        var state = "test-state";
+        var userIdentifier = "user-123";
+        var ssoToken = "invalid-corrupted-token";

-        // No existing user (JIT provisioning scenario)
-        sutProvider.GetDependency<IUserRepository>().GetByEmailAsync(email).Returns((User?)null);
-        sutProvider.GetDependency<IOrganizationRepository>().GetByIdAsync(orgId).Returns(organization);
-        sutProvider.GetDependency<IOrganizationUserRepository>().GetByOrganizationEmailAsync(orgId, email)
-            .Returns((OrganizationUser?)null);
+        // Mock the data protector to throw when trying to unprotect
+        var dataProtector = sutProvider.GetDependency<IDataProtectorTokenFactory<SsoTokenable>>();
+        dataProtector.Unprotect(ssoToken).Returns(_ => throw new Exception("Token validation failed"));

-        // Feature flag disabled
-        sutProvider.GetDependency<IFeatureService>()
-            .IsEnabled(FeatureFlagKeys.MjmlWelcomeEmailTemplates)
-            .Returns(false);
+        // Mock i18n service to return the key
+        sutProvider.GetDependency<II18nService>()
+            .T(Arg.Any<string>())
+            .Returns(ci => (string)ci[0]!);

-        // Mock the RegisterUser to return success
-        sutProvider.GetDependency<IRegisterUserCommand>()
-            .RegisterUser(Arg.Any<User>())
-            .Returns(IdentityResult.Success);
-
-        var claims = new[]
-        {
-            new Claim(JwtClaimTypes.Email, email),
-            new Claim(JwtClaimTypes.Name, "Legacy User")
-        } as IEnumerable<Claim>;
-        var config = new SsoConfigurationData();
-
-        var method = typeof(AccountController).GetMethod(
-            "CreateUserAndOrgUserConditionallyAsync",
-            BindingFlags.Instance | BindingFlags.NonPublic);
-        Assert.NotNull(method);
-
-        // Act
-        var task = (Task<(User user, Organization organization, OrganizationUser orgUser)>)method!.Invoke(
-            sutProvider.Sut,
-            new object[]
-            {
-                orgId.ToString(),
-                providerUserId,
-                claims,
-                null!,
-                config
-            })!;
-
-        var result = await task;
-
-        // Assert
-        await sutProvider.GetDependency<IRegisterUserCommand>().Received(1)
-            .RegisterUser(Arg.Is<User>(u => u.Email == email && u.Name == "Legacy User"));
-
-        // Verify the new method was NOT called
-        await sutProvider.GetDependency<IRegisterUserCommand>().DidNotReceive()
-            .RegisterSSOAutoProvisionedUserAsync(Arg.Any<User>(), Arg.Any<Organization>());
-
-        Assert.NotNull(result.user);
-        Assert.Equal(email, result.user.Email);
+        // Act & Assert
+        var ex = Assert.Throws<Exception>(() =>
+            sutProvider.Sut.ExternalChallenge(scheme, returnUrl, state, userIdentifier, ssoToken));
+        Assert.Equal("InvalidSsoToken", ex.Message);
    }
 }
--- a/bitwarden_license/test/Scim.IntegrationTest/Controllers/v2/GroupsControllerTests.cs
+++ b/bitwarden_license/test/Scim.IntegrationTest/Controllers/v2/GroupsControllerTests.cs
@ -200,6 +200,38 @@ public class GroupsControllerTests : IClassFixture<ScimApplicationFactory>, IAsy
        AssertHelper.AssertPropertyEqual(expectedResponse, responseModel);
    }

+    [Fact]
+    public async Task GetList_SearchDisplayNameWithoutOptionalParameters_Success()
+    {
+        string filter = "displayName eq Test Group 2";
+        int? itemsPerPage = null;
+        int? startIndex = null;
+        var expectedResponse = new ScimListResponseModel<ScimGroupResponseModel>
+        {
+            ItemsPerPage = 50, //default value
+            TotalResults = 1,
+            StartIndex = 1, //default value
+            Resources = new List<ScimGroupResponseModel>
+            {
+                new ScimGroupResponseModel
+                {
+                    Id = ScimApplicationFactory.TestGroupId2,
+                    DisplayName = "Test Group 2",
+                    ExternalId = "B",
+                    Schemas = new List<string> { ScimConstants.Scim2SchemaGroup }
+                }
+            },
+            Schemas = new List<string> { ScimConstants.Scim2SchemaListResponse }
+        };
+
+        var context = await _factory.GroupsGetListAsync(ScimApplicationFactory.TestOrganizationId1, filter, itemsPerPage, startIndex);
+
+        Assert.Equal(StatusCodes.Status200OK, context.Response.StatusCode);
+
+        var responseModel = JsonSerializer.Deserialize<ScimListResponseModel<ScimGroupResponseModel>>(context.Response.Body, new JsonSerializerOptions { PropertyNamingPolicy = JsonNamingPolicy.CamelCase });
+        AssertHelper.AssertPropertyEqual(expectedResponse, responseModel);
+    }
+
    [Fact]
    public async Task Post_Success()
    {
--- a/bitwarden_license/test/Scim.Test/Groups/GetGroupsListQueryTests.cs
+++ b/bitwarden_license/test/Scim.Test/Groups/GetGroupsListQueryTests.cs
@ -1,6 +1,7 @@
 using Bit.Core.AdminConsole.Entities;
 using Bit.Core.AdminConsole.Repositories;
 using Bit.Scim.Groups;
+using Bit.Scim.Models;
 using Bit.Test.Common.AutoFixture;
 using Bit.Test.Common.AutoFixture.Attributes;
 using Bit.Test.Common.Helpers;
@ -24,7 +25,7 @@ public class GetGroupsListCommandTests
            .GetManyByOrganizationIdAsync(organizationId)
            .Returns(groups);

-        var result = await sutProvider.Sut.GetGroupsListAsync(organizationId, null, count, startIndex);
+        var result = await sutProvider.Sut.GetGroupsListAsync(organizationId, new GetGroupsQueryParamModel { Count = count, StartIndex = startIndex });

        AssertHelper.AssertPropertyEqual(groups.Skip(startIndex - 1).Take(count).ToList(), result.groupList);
        AssertHelper.AssertPropertyEqual(groups.Count, result.totalResults);
@ -47,7 +48,7 @@ public class GetGroupsListCommandTests
            .GetManyByOrganizationIdAsync(organizationId)
            .Returns(groups);

-        var result = await sutProvider.Sut.GetGroupsListAsync(organizationId, filter, null, null);
+        var result = await sutProvider.Sut.GetGroupsListAsync(organizationId, new GetGroupsQueryParamModel { Filter = filter });

        AssertHelper.AssertPropertyEqual(expectedGroupList, result.groupList);
        AssertHelper.AssertPropertyEqual(expectedTotalResults, result.totalResults);
@ -67,7 +68,7 @@ public class GetGroupsListCommandTests
            .GetManyByOrganizationIdAsync(organizationId)
            .Returns(groups);

-        var result = await sutProvider.Sut.GetGroupsListAsync(organizationId, filter, null, null);
+        var result = await sutProvider.Sut.GetGroupsListAsync(organizationId, new GetGroupsQueryParamModel { Filter = filter });

        AssertHelper.AssertPropertyEqual(expectedGroupList, result.groupList);
        AssertHelper.AssertPropertyEqual(expectedTotalResults, result.totalResults);
@ -90,7 +91,7 @@ public class GetGroupsListCommandTests
            .GetManyByOrganizationIdAsync(organizationId)
            .Returns(groups);

-        var result = await sutProvider.Sut.GetGroupsListAsync(organizationId, filter, null, null);
+        var result = await sutProvider.Sut.GetGroupsListAsync(organizationId, new GetGroupsQueryParamModel { Filter = filter });

        AssertHelper.AssertPropertyEqual(expectedGroupList, result.groupList);
        AssertHelper.AssertPropertyEqual(expectedTotalResults, result.totalResults);
@ -112,7 +113,7 @@ public class GetGroupsListCommandTests
            .GetManyByOrganizationIdAsync(organizationId)
            .Returns(groups);

-        var result = await sutProvider.Sut.GetGroupsListAsync(organizationId, filter, null, null);
+        var result = await sutProvider.Sut.GetGroupsListAsync(organizationId, new GetGroupsQueryParamModel { Filter = filter });

        AssertHelper.AssertPropertyEqual(expectedGroupList, result.groupList);
        AssertHelper.AssertPropertyEqual(expectedTotalResults, result.totalResults);
--- a/bitwarden_license/test/Scim.Test/Users/GetUsersListQueryTests.cs
+++ b/bitwarden_license/test/Scim.Test/Users/GetUsersListQueryTests.cs
@ -1,5 +1,6 @@
 using Bit.Core.Models.Data.Organizations.OrganizationUsers;
 using Bit.Core.Repositories;
+using Bit.Scim.Models;
 using Bit.Scim.Users;
 using Bit.Test.Common.AutoFixture;
 using Bit.Test.Common.AutoFixture.Attributes;
--- a/bitwarden_license/test/Scim.Test/Users/PatchUserCommandTests.cs
+++ b/bitwarden_license/test/Scim.Test/Users/PatchUserCommandTests.cs
@ -1,6 +1,6 @@
 using System.Text.Json;
-using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Interfaces;
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.RestoreUser.v1;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.RevokeUser.v1;
 using Bit.Core.Entities;
 using Bit.Core.Enums;
 using Bit.Core.Exceptions;
--- a/bitwarden_license/test/Scim.Test/Users/PostUserCommandTests.cs
+++ b/bitwarden_license/test/Scim.Test/Users/PostUserCommandTests.cs
@ -1,4 +1,5 @@
 using Bit.Core.AdminConsole.Entities;
+using Bit.Core.Billing.Services;
 using Bit.Core.Enums;
 using Bit.Core.Exceptions;
 using Bit.Core.Models.Business;
@ -36,7 +37,7 @@ public class PostUserCommandTests

        sutProvider.GetDependency<IOrganizationRepository>().GetByIdAsync(organizationId).Returns(organization);

-        sutProvider.GetDependency<IPaymentService>().HasSecretsManagerStandalone(organization).Returns(true);
+        sutProvider.GetDependency<IStripePaymentService>().HasSecretsManagerStandalone(organization).Returns(true);

        sutProvider.GetDependency<IOrganizationService>()
            .InviteUserAsync(organizationId,
--- a/bitwarden_license/test/Sso.IntegrationTest/Controllers/AccountControllerTests.cs
+++ b/bitwarden_license/test/Sso.IntegrationTest/Controllers/AccountControllerTests.cs
@ -0,0 +1,952 @@
+using System.Net;
+using Bit.Core;
+using Bit.Core.AdminConsole.Entities;
+using Bit.Core.Auth.Entities;
+using Bit.Core.Auth.Models.Data;
+using Bit.Core.Auth.Repositories;
+using Bit.Core.Entities;
+using Bit.Core.Enums;
+using Bit.Core.Repositories;
+using Bit.Core.Services;
+using Bit.Sso.IntegrationTest.Utilities;
+using Bit.Test.Common.AutoFixture.Attributes;
+using Bitwarden.License.Test.Sso.IntegrationTest.Utilities;
+using Microsoft.AspNetCore.Authentication;
+using Microsoft.AspNetCore.Identity;
+using Microsoft.AspNetCore.Mvc.Testing;
+using NSubstitute;
+using Xunit;
+using AuthenticationSchemes = Bit.Core.AuthenticationSchemes;
+
+namespace Bit.Sso.IntegrationTest.Controllers;
+
+public class AccountControllerTests(SsoApplicationFactory factory) : IClassFixture<SsoApplicationFactory>
+{
+    private readonly SsoApplicationFactory _factory = factory;
+
+    /*
+    * Test to verify the /Account/ExternalCallback endpoint exists and is reachable.
+    */
+    [Fact]
+    public async Task ExternalCallback_EndpointExists_ReturnsExpectedStatusCode()
+    {
+        // Arrange
+        var client = _factory.CreateClient();
+
+        // Act - Verify the endpoint is accessible (even if it fails due to missing auth)
+        var response = await client.GetAsync("/Account/ExternalCallback");
+
+        // Assert - The endpoint should exist and return 500 (not 404) due to missing authentication
+        Assert.NotEqual(HttpStatusCode.NotFound, response.StatusCode);
+    }
+
+    /*
+    * Test to verify calling /Account/ExternalCallback without an authentication cookie
+    * results in an error as expected.
+    */
+    [Fact]
+    public async Task ExternalCallback_WithNoAuthenticationCookie_ReturnsError()
+    {
+        // Arrange
+        var client = _factory.CreateClient();
+
+        // Act - Call ExternalCallback without proper authentication setup
+        var response = await client.GetAsync("/Account/ExternalCallback");
+
+        // Assert - Should fail because there's no external authentication cookie
+        Assert.False(response.IsSuccessStatusCode);
+        // The endpoint will throw an exception when authentication fails
+        Assert.Equal(HttpStatusCode.InternalServerError, response.StatusCode);
+    }
+
+    /*
+    * Test to verify behavior of /Account/ExternalCallback with PM24579 feature flag
+    */
+    [Theory]
+    [BitAutoData(true)]
+    [BitAutoData(false)]
+    public async Task ExternalCallback_WithPM24579FeatureFlag_AndNoAuthCookie_ReturnsError
+    (
+        bool featureFlagEnabled
+    )
+    {
+        // Arrange
+        var client = _factory.WithWebHostBuilder(builder =>
+        {
+            builder.ConfigureServices(services =>
+            {
+                var featureService = Substitute.For<IFeatureService>();
+                featureService.IsEnabled(FeatureFlagKeys.PM24579_PreventSsoOnExistingNonCompliantUsers).Returns(featureFlagEnabled);
+                services.AddSingleton(featureService);
+            });
+        }).CreateClient();
+
+        // Act
+        var response = await client.GetAsync("/Account/ExternalCallback");
+
+        // Assert
+        Assert.False(response.IsSuccessStatusCode);
+        Assert.Equal(HttpStatusCode.InternalServerError, response.StatusCode);
+    }
+
+    /*
+    * Test to verify behavior of /Account/ExternalCallback simulating failed authentication.
+    */
+    [Fact]
+    public async Task ExternalCallback_WithMockedAuthenticationService_FailedAuth_ReturnsError()
+    {
+        // Arrange
+        var testData = await new SsoTestDataBuilder()
+            .WithFailedAuthentication()
+            .BuildAsync();
+
+        var client = testData.Factory.CreateClient();
+
+        // Act
+        var response = await client.GetAsync("/Account/ExternalCallback");
+
+        // Assert
+        Assert.False(response.IsSuccessStatusCode);
+    }
+
+    /*
+    * Test to verify /Account/ExternalCallback returns error when SSO config exists but is disabled.
+    */
+    [Fact]
+    public async Task ExternalCallback_WithDisabledSsoConfig_ReturnsError()
+    {
+        // Arrange
+        var testData = await new SsoTestDataBuilder()
+            .WithSsoConfig(ssoConfig => ssoConfig!.Enabled = false)
+            .BuildAsync();
+
+        var client = testData.Factory.CreateClient();
+
+        // Act
+        var response = await client.GetAsync("/Account/ExternalCallback");
+
+        // Assert - Should fail because SSO config is disabled
+        var stringResponse = await response.Content.ReadAsStringAsync();
+        Assert.Contains("Organization not found or SSO configuration not enabled", stringResponse);
+        Assert.Equal(HttpStatusCode.InternalServerError, response.StatusCode);
+    }
+
+    [Fact]
+    public async Task ExternalCallback_FindUserFromExternalProviderAsync_OrganizationOrSsoConfigNotFound_ReturnsError()
+    {
+        // Arrange
+        var testData = await new SsoTestDataBuilder()
+            .BuildAsync();
+
+        var client = testData.Factory.CreateClient();
+
+        // Act
+        var response = await client.GetAsync("/Account/ExternalCallback");
+
+        // Assert - Should fail because user has invalid status
+        var stringResponse = await response.Content.ReadAsStringAsync();
+        Assert.Contains("Organization not found or SSO configuration not enabled", stringResponse);
+        Assert.Equal(HttpStatusCode.InternalServerError, response.StatusCode);
+    }
+
+    /*
+    * Test to verify /Account/ExternalCallback returns error when SSO config expects an ACR value
+    * but the authentication response has a missing or invalid ACR claim.
+    */
+    [Fact]
+    public async Task ExternalCallback_WithExpectedAcrValue_AndInvalidAcr_ReturnsError()
+    {
+        // Arrange
+        var testData = await new SsoTestDataBuilder()
+        .WithSsoConfig(ssoConfig => ssoConfig!.SetData(
+            new SsoConfigurationData
+            {
+                ExpectedReturnAcrValue = "urn:expected:acr:value"
+            }))
+            .BuildAsync();
+
+        var client = testData.Factory.CreateClient();
+
+        // Act
+        var response = await client.GetAsync("/Account/ExternalCallback");
+
+        // Assert - Should fail because ACR claim is missing or invalid
+        var stringResponse = await response.Content.ReadAsStringAsync();
+        Assert.Contains("Expected authentication context class reference (acr) was not returned with the authentication response or is invalid", stringResponse);
+        Assert.Equal(HttpStatusCode.InternalServerError, response.StatusCode);
+    }
+
+    /*
+    * Test to verify /Account/ExternalCallback returns error when the authentication response
+    * does not contain any recognizable user ID claim (sub, NameIdentifier, uid, upn, eppn).
+    */
+    [Fact]
+    public async Task ExternalCallback_WithNoUserIdClaim_ReturnsError()
+    {
+        // Arrange
+        var testData = await new SsoTestDataBuilder()
+            .WithSsoConfig()
+            .OmitProviderUserId()
+            .BuildAsync();
+
+        var client = testData.Factory.CreateClient();
+
+        // Act
+        var response = await client.GetAsync("/Account/ExternalCallback"); ;
+
+        // Assert - Should fail because no user ID claim was found
+        var stringResponse = await response.Content.ReadAsStringAsync();
+        Assert.Contains("Unknown userid", stringResponse);
+        Assert.Equal(HttpStatusCode.InternalServerError, response.StatusCode);
+    }
+
+    /*
+    * Test to verify /Account/ExternalCallback returns error when no email claim is found
+    * and the providerUserId cannot be used as a fallback email (doesn't contain @).
+    */
+    [Fact]
+    public async Task ExternalCallback_WithNoEmailClaim_ReturnsError()
+    {
+        // Arrange
+        var testData = await new SsoTestDataBuilder()
+            .WithSsoConfig()
+            .WithNullEmail()
+            .BuildAsync();
+
+        var client = testData.Factory.CreateClient();
+
+        // Act
+        var response = await client.GetAsync("/Account/ExternalCallback");
+
+        // Assert - Should fail because no email claim was found
+        var stringResponse = await response.Content.ReadAsStringAsync();
+        Assert.Contains("Cannot find email claim", stringResponse);
+        Assert.Equal(HttpStatusCode.InternalServerError, response.StatusCode);
+    }
+
+    /*
+    * Test to verify /Account/ExternalCallback returns error when an existing user
+    * uses Key Connector but has no org user record (was removed from organization).
+    */
+    [Fact]
+    public async Task ExternalCallback_WithExistingKeyConnectorUser_AndNoOrgUser_ReturnsError()
+    {
+        // Arrange
+        var testData = await new SsoTestDataBuilder()
+            .WithSsoConfig()
+            .WithUser(user =>
+            {
+                user.UsesKeyConnector = true;
+            })
+            .BuildAsync();
+
+        var client = testData.Factory.CreateClient();
+
+        // Act
+        var response = await client.GetAsync("/Account/ExternalCallback");
+
+        // Assert - Should fail because user uses Key Connector but has no org user record
+        var stringResponse = await response.Content.ReadAsStringAsync();
+        Assert.Contains("You were removed from the organization managing single sign-on for your account", stringResponse);
+        Assert.Equal(HttpStatusCode.InternalServerError, response.StatusCode);
+    }
+
+    /*
+    * Test to verify /Account/ExternalCallback returns error when an existing user
+    * uses Key Connector and has an org user record in the invited status.
+    */
+    [Fact]
+    public async Task ExternalCallback_WithExistingKeyConnectorUser_AndInvitedOrgUser_ReturnsError()
+    {
+        // Arrange
+        var testData = await new SsoTestDataBuilder()
+            .WithSsoConfig(ssoConfig => { })
+            .WithUser(user =>
+            {
+                user.UsesKeyConnector = true;
+            })
+            .WithOrganizationUser(orgUser =>
+            {
+                orgUser.Status = OrganizationUserStatusType.Invited;
+            })
+            .BuildAsync();
+
+        var client = testData.Factory.CreateClient();
+
+        // Act
+        var response = await client.GetAsync("/Account/ExternalCallback");
+
+        // Assert - Should fail because user uses Key Connector but the Org user is in the invited status
+        var stringResponse = await response.Content.ReadAsStringAsync();
+        Assert.Contains("You were removed from the organization managing single sign-on for your account", stringResponse);
+        Assert.Equal(HttpStatusCode.InternalServerError, response.StatusCode);
+    }
+
+    /*
+    * Test to verify /Account/ExternalCallback returns error when an existing user
+    * (not using Key Connector) has no org user record - they were removed from the organization.
+    */
+    [Fact]
+    public async Task ExternalCallback_WithExistingUser_AndNoOrgUser_ReturnsError()
+    {
+        // Arrange
+        var testData = await new SsoTestDataBuilder()
+            .WithSsoConfig()
+            .WithUser()
+            .BuildAsync();
+
+        var client = testData.Factory.CreateClient();
+
+        // Act
+        var response = await client.GetAsync("/Account/ExternalCallback");
+
+        // Assert - Should fail because user exists but has no org user record
+        var stringResponse = await response.Content.ReadAsStringAsync();
+        Assert.Contains("You were removed from the organization managing single sign-on for your account. Contact the organization administrator", stringResponse);
+        Assert.Equal(HttpStatusCode.InternalServerError, response.StatusCode);
+    }
+
+    /*
+    * Test to verify /Account/ExternalCallback returns error when an existing user
+    * has an org user record with Invited status - they must accept the invite first.
+    */
+    [Fact]
+    public async Task ExternalCallback_WithExistingUser_AndInvitedOrgUserStatus_ReturnsError()
+    {
+        // Arrange
+        var testData = await new SsoTestDataBuilder()
+            .WithSsoConfig()
+            .WithUser()
+            .WithOrganizationUser(orgUser =>
+            {
+                orgUser.Status = OrganizationUserStatusType.Invited;
+            })
+            .BuildAsync();
+
+        var client = testData.Factory.CreateClient();
+
+        // Act
+        var response = await client.GetAsync("/Account/ExternalCallback");
+
+        // Assert - Should fail because user must accept invite before using SSO
+        var stringResponse = await response.Content.ReadAsStringAsync();
+        Assert.Contains("you must first log in using your master password", stringResponse);
+        Assert.Equal(HttpStatusCode.InternalServerError, response.StatusCode);
+    }
+
+    /*
+    * Test to verify /Account/ExternalCallback returns error when organization has no available seats
+    * and cannot auto-scale because it's a self-hosted instance.
+    */
+    [Fact]
+    public async Task ExternalCallback_WithNoAvailableSeats_OnSelfHosted_ReturnsError()
+    {
+        var testData = await new SsoTestDataBuilder()
+            .WithSsoConfig()
+            .WithOrganization(org =>
+            {
+                org.Seats = 5; // Organization has seat limit
+            })
+            .AsSelfHosted()
+            .BuildAsync();
+
+        var client = testData.Factory.CreateClient();
+
+        // Act
+        var response = await client.GetAsync("/Account/ExternalCallback");
+
+        // Assert - Should fail because no seats available and cannot auto-scale on self-hosted
+        var stringResponse = await response.Content.ReadAsStringAsync();
+        Assert.Contains("No seats available for organization", stringResponse);
+        Assert.Equal(HttpStatusCode.InternalServerError, response.StatusCode);
+    }
+
+    /*
+    * Test to verify /Account/ExternalCallback returns error when organization has no available seats
+    * and auto-scaling fails (e.g., billing issue, max seats reached).
+    */
+    [Fact]
+    public async Task ExternalCallback_WithNoAvailableSeats_AndAutoAddSeatsFails_ReturnsError()
+    {
+        var testData = await new SsoTestDataBuilder()
+            .WithSsoConfig()
+            .WithOrganization(org =>
+            {
+                org.Seats = 5;
+                org.MaxAutoscaleSeats = 5;
+            })
+            .BuildAsync();
+
+        var client = testData.Factory.CreateClient();
+
+        // Act
+        var response = await client.GetAsync("/Account/ExternalCallback");
+
+        // Assert - Should fail because auto-adding seats failed
+        var stringResponse = await response.Content.ReadAsStringAsync();
+        Assert.Contains("No seats available for organization", stringResponse);
+        Assert.Equal(HttpStatusCode.InternalServerError, response.StatusCode);
+    }
+
+    /*
+    * Test to verify /Account/ExternalCallback returns error when email cannot be found
+    * during new user provisioning (Scenario 2) after bypassing the first email check
+    * via manual linking path (userIdentifier is set).
+    */
+    [Fact]
+    public async Task ExternalCallback_WithUserIdentifier_AndNoEmail_ReturnsError()
+    {
+        // Arrange
+        var testData = await new SsoTestDataBuilder()
+            .WithSsoConfig()
+            .WithUserIdentifier("")
+            .WithNullEmail()
+            .BuildAsync();
+
+        var client = testData.Factory.CreateClient();
+
+        // Act
+        var response = await client.GetAsync("/Account/ExternalCallback");
+
+        // Assert - Should fail because email cannot be found during new user provisioning
+        var stringResponse = await response.Content.ReadAsStringAsync();
+        Assert.Contains("Cannot find email claim", stringResponse);
+        Assert.Equal(HttpStatusCode.InternalServerError, response.StatusCode);
+    }
+
+    /*
+    * Test to verify /Account/ExternalCallback returns error when org user has an unknown/invalid status.
+    * This tests defensive code that handles future enum values or data corruption scenarios.
+    * We simulate this by casting an invalid integer to OrganizationUserStatusType.
+    */
+    [Fact]
+    public async Task ExternalCallback_WithUnknownOrgUserStatus_ReturnsError()
+    {
+        // Arrange
+        var testData = await new SsoTestDataBuilder()
+            .WithSsoConfig()
+            .WithUser()
+            .WithOrganizationUser(orgUser =>
+            {
+                orgUser.Status = (OrganizationUserStatusType)99; // Invalid enum value - simulates future status or data corruption
+            })
+            .BuildAsync();
+
+        var client = testData.Factory.CreateClient();
+
+        // Act
+        var response = await client.GetAsync("/Account/ExternalCallback");
+
+        // Assert - Should fail because org user status is unknown/invalid
+        var stringResponse = await response.Content.ReadAsStringAsync();
+        Assert.Contains("is in an unknown state", stringResponse);
+        Assert.Equal(HttpStatusCode.InternalServerError, response.StatusCode);
+    }
+
+    // Note: "User should be found ln 304" appears to be unreachable defensive code.
+    // CreateUserAndOrgUserConditionallyAsync always returns a non-null user or throws an exception,
+    // so possibleSsoLinkedUser cannot be null when the feature flag check executes.
+
+    /*
+    * Test to verify /Account/ExternalCallback returns error when userIdentifier
+    * is malformed (doesn't contain comma separator for userId,token format).
+    * There is only a single test case here but in the future we may need to expand the
+    * tests to cover other invalid formats.
+    */
+    [Theory]
+    [BitAutoData("No-Comas-Identifier")]
+    public async Task ExternalCallback_WithInvalidUserIdentifierFormat_ReturnsError(
+        string UserIdentifier
+    )
+    {
+        // Arrange
+        var testData = await new SsoTestDataBuilder()
+            .WithSsoConfig()
+            .WithUserIdentifier(UserIdentifier)
+            .BuildAsync();
+
+        var client = testData.Factory.CreateClient();
+
+        // Act
+        var response = await client.GetAsync("/Account/ExternalCallback");
+
+        // Assert - Should fail because userIdentifier format is invalid
+        var stringResponse = await response.Content.ReadAsStringAsync();
+        Assert.Contains("Invalid user identifier", stringResponse);
+        Assert.Equal(HttpStatusCode.InternalServerError, response.StatusCode);
+    }
+
+    /*
+    * Test to verify /Account/ExternalCallback returns error when userIdentifier
+    * contains valid userId but invalid/mismatched token.
+    *
+    * NOTE: This test uses the substitute pattern instead of SsoTestDataBuilder because:
+    * - The userIdentifier in the auth result must contain a userId that matches a user in the system
+    * - User.SetNewId() always overwrites the Id (unlike Organization.SetNewId() which has a guard)
+    * - This means we cannot pre-set a User.Id before database insertion
+    * - The auth mock must be configured BEFORE accessing factory.Services (required by SubstituteService)
+    * - Therefore, we cannot coordinate the userId between the auth mock and the seeded user
+    * - Using substitutes allows us to control the exact userId and mock UserManager.VerifyUserTokenAsync
+    */
+    [Fact]
+    public async Task ExternalCallback_WithUserIdentifier_AndInvalidToken_ReturnsError()
+    {
+        // Arrange
+        var organizationId = Guid.NewGuid();
+        var providerUserId = Guid.NewGuid().ToString();
+        var userId = Guid.NewGuid();
+        var testEmail = "test_user@integration.test";
+        var testName = "Test User";
+        // Valid format but token won't verify
+        var userIdentifier = $"{userId},invalid-token";
+
+        var claimedUser = new User
+        {
+            Id = userId,
+            Email = testEmail,
+            Name = testName
+        };
+
+        var organization = new Organization
+        {
+            Id = organizationId,
+            Name = "Test Organization",
+            Enabled = true,
+            UseSso = true
+        };
+
+        var ssoConfig = new SsoConfig
+        {
+            OrganizationId = organizationId,
+            Enabled = true
+        };
+        ssoConfig.SetData(new SsoConfigurationData());
+
+        var client = _factory.WithWebHostBuilder(builder =>
+        {
+            builder.ConfigureServices(services =>
+            {
+                var featureService = Substitute.For<IFeatureService>();
+                featureService.IsEnabled(FeatureFlagKeys.PM24579_PreventSsoOnExistingNonCompliantUsers).Returns(true);
+                services.AddSingleton(featureService);
+
+                // Mock organization repository
+                var orgRepo = Substitute.For<IOrganizationRepository>();
+                orgRepo.GetByIdAsync(organizationId).Returns(organization);
+                orgRepo.GetByIdentifierAsync(organizationId.ToString()).Returns(organization);
+                services.AddSingleton(orgRepo);
+
+                // Mock SSO config repository
+                var ssoConfigRepo = Substitute.For<ISsoConfigRepository>();
+                ssoConfigRepo.GetByOrganizationIdAsync(organizationId).Returns(ssoConfig);
+                services.AddSingleton(ssoConfigRepo);
+
+                // Mock user repository - no existing user via SSO
+                var userRepo = Substitute.For<IUserRepository>();
+                userRepo.GetBySsoUserAsync(providerUserId, organizationId).Returns((User?)null);
+                services.AddSingleton(userRepo);
+
+                // Mock user service - returns user for manual linking lookup
+                var userService = Substitute.For<IUserService>();
+                userService.GetUserByIdAsync(userId.ToString()).Returns(claimedUser);
+                services.AddSingleton(userService);
+
+                // Mock UserManager to return false for token verification
+                var userManager = Substitute.For<UserManager<User>>(
+                    Substitute.For<IUserStore<User>>(), null, null, null, null, null, null, null, null);
+                userManager.VerifyUserTokenAsync(
+                    claimedUser,
+                    Arg.Any<string>(),
+                    Arg.Any<string>(),
+                    Arg.Any<string>())
+                    .Returns(false);
+                services.AddSingleton(userManager);
+
+                // Mock authentication service with userIdentifier that has valid format but invalid token
+                var authService = Substitute.For<IAuthenticationService>();
+                authService.AuthenticateAsync(
+                        Arg.Any<HttpContext>(),
+                        AuthenticationSchemes.BitwardenExternalCookieAuthenticationScheme)
+                    .Returns(MockSuccessfulAuthResult.Build(organizationId, providerUserId, testEmail, testName, null, userIdentifier));
+                services.AddSingleton(authService);
+            });
+        }).CreateClient();
+
+        // Act
+        var response = await client.GetAsync("/Account/ExternalCallback");
+
+        // Assert - Should fail because token verification failed
+        var stringResponse = await response.Content.ReadAsStringAsync();
+        Assert.Contains("Supplied userId and token did not match", stringResponse);
+        Assert.Equal(HttpStatusCode.InternalServerError, response.StatusCode);
+    }
+
+    /*
+    * Test to verify /Account/ExternalCallback returns error for revoked org user when PM24579 feature flag is enabled.
+    */
+    [Fact]
+    public async Task ExternalCallback_WithRevokedOrgUser_WithPM24579FeatureFlagEnabled_ReturnsError()
+    {
+        // Arrange
+        var testData = await new SsoTestDataBuilder()
+            .WithSsoConfig()
+            .WithUser()
+            .WithOrganizationUser(orgUser =>
+            {
+                orgUser.Status = OrganizationUserStatusType.Revoked;
+            })
+            .WithFeatureFlags(factoryService =>
+            {
+                factoryService.SubstituteService<IFeatureService>(srv =>
+                {
+                    srv.IsEnabled(FeatureFlagKeys.PM24579_PreventSsoOnExistingNonCompliantUsers).Returns(true);
+                });
+            })
+            .BuildAsync();
+
+        var client = testData.Factory.CreateClient();
+
+        // Act
+        var response = await client.GetAsync("/Account/ExternalCallback");
+
+        // Assert - Should fail because user state is invalid
+        var stringResponse = await response.Content.ReadAsStringAsync();
+        Assert.Contains(
+            $"Your access to organization {testData.Organization?.DisplayName()} has been revoked. Please contact your administrator for assistance.",
+            stringResponse);
+        Assert.Equal(HttpStatusCode.InternalServerError, response.StatusCode);
+    }
+
+    /*
+    * Test to verify /Account/ExternalCallback returns error for revoked org user when PM24579 feature flag is disabled.
+    */
+    [Fact]
+    public async Task ExternalCallback_WithRevokedOrgUserStatus_WithPM24579FeatureFlagDisabled_ReturnsError()
+    {
+        // Arrange
+        var testData = await new SsoTestDataBuilder()
+            .WithSsoConfig()
+            .WithUser()
+            .WithOrganizationUser(orgUser =>
+            {
+                orgUser.Status = OrganizationUserStatusType.Revoked;
+            })
+            .WithFeatureFlags(factoryService =>
+            {
+                factoryService.SubstituteService<IFeatureService>(srv =>
+                {
+                    srv.IsEnabled(FeatureFlagKeys.PM24579_PreventSsoOnExistingNonCompliantUsers).Returns(false);
+                });
+            })
+            .BuildAsync();
+
+        var client = testData.Factory.CreateClient();
+
+        // Act
+        var response = await client.GetAsync("/Account/ExternalCallback");
+
+        // Assert - Should fail because user has invalid status
+        var stringResponse = await response.Content.ReadAsStringAsync();
+        Assert.Contains(
+            $"Your access to organization {testData.Organization?.DisplayName()} has been revoked. Please contact your administrator for assistance.",
+            stringResponse);
+        Assert.Equal(HttpStatusCode.InternalServerError, response.StatusCode);
+    }
+
+    /*
+    * Test to verify /Account/ExternalCallback returns error for invited org user when PM24579 feature flag is disabled.
+    */
+    [Fact]
+    public async Task ExternalCallback_WithInvitedOrgUserStatus_WithPM24579FeatureFlagDisabled_ReturnsError()
+    {
+        // Arrange
+        var testData = await new SsoTestDataBuilder()
+            .WithSsoConfig()
+            .WithUser()
+            .WithOrganizationUser(orgUser =>
+            {
+                orgUser.Status = OrganizationUserStatusType.Invited;
+            })
+            .WithFeatureFlags(factoryService =>
+            {
+                factoryService.SubstituteService<IFeatureService>(srv =>
+                {
+                    srv.IsEnabled(FeatureFlagKeys.PM24579_PreventSsoOnExistingNonCompliantUsers).Returns(false);
+                });
+            })
+            .BuildAsync();
+
+        var client = testData.Factory.CreateClient();
+
+        // Act
+        var response = await client.GetAsync("/Account/ExternalCallback");
+
+        // Assert - Should fail because user has invalid status
+        var stringResponse = await response.Content.ReadAsStringAsync();
+        Assert.Contains(
+        $"To accept your invite to {testData.Organization?.DisplayName()}, you must first log in using your master password. Once your invite has been accepted, you will be able to log in using SSO.",
+            stringResponse);
+        Assert.Equal(HttpStatusCode.InternalServerError, response.StatusCode);
+    }
+
+
+    /*
+    * Test to verify /Account/ExternalCallback returns error when user is found via SSO
+    * but has no organization user record (with feature flag enabled).
+    */
+    [Fact]
+    public async Task ExternalCallback_WithSsoUser_AndNoOrgUser_WithFeatureFlagEnabled_ReturnsError()
+    {
+        // Arrange
+        var testData = await new SsoTestDataBuilder()
+            .WithSsoConfig()
+            .WithUser()
+            .WithSsoUser()
+            .WithFeatureFlags(factoryService =>
+            {
+                factoryService.SubstituteService<IFeatureService>(srv =>
+                {
+                    srv.IsEnabled(FeatureFlagKeys.PM24579_PreventSsoOnExistingNonCompliantUsers).Returns(true);
+                });
+            })
+            .BuildAsync();
+
+        var client = testData.Factory.CreateClient();
+
+        // Act
+        var response = await client.GetAsync("/Account/ExternalCallback");
+
+        // Assert - Should fail because org user cannot be found
+        var stringResponse = await response.Content.ReadAsStringAsync();
+        Assert.Contains("Could not find organization user", stringResponse);
+        Assert.Equal(HttpStatusCode.InternalServerError, response.StatusCode);
+    }
+
+    /*
+    * Test to verify /Account/ExternalCallback returns error when the provider scheme
+    * is not a valid GUID (SSOProviderIsNotAnOrgId).
+    *
+    * NOTE: This test uses the substitute pattern instead of SsoTestDataBuilder because:
+    * - Organization.Id is of type Guid and cannot be set to a non-GUID value
+    * - The auth mock scheme must be a non-GUID string to trigger this error path
+    * - This cannot be tested since ln 438 in AccountController.FindUserFromExternalProviderAsync throws a different exception
+    *   before reaching the organization lookup exception.
+    */
+    [Fact(Skip = "This test cannot be executed because the organization ID must be a GUID. See note in test summary.")]
+    public async Task ExternalCallback_WithInvalidProviderGuid_ReturnsError()
+    {
+        // Arrange
+        var invalidScheme = "not-a-valid-guid";
+        var providerUserId = Guid.NewGuid().ToString();
+        var testEmail = "test@example.com";
+        var testName = "Test User";
+
+        var client = _factory.WithWebHostBuilder(builder =>
+        {
+            builder.ConfigureServices(services =>
+            {
+                // Mock authentication service with invalid (non-GUID) scheme
+                var authService = Substitute.For<IAuthenticationService>();
+                authService.AuthenticateAsync(
+                        Arg.Any<HttpContext>(),
+                        AuthenticationSchemes.BitwardenExternalCookieAuthenticationScheme)
+                    .Returns(MockSuccessfulAuthResult.Build(invalidScheme, providerUserId, testEmail, testName));
+                services.AddSingleton(authService);
+            });
+        }).CreateClient();
+
+        // Act
+        var response = await client.GetAsync("/Account/ExternalCallback");
+
+        // Assert - Should fail because provider is not a valid organization GUID
+        var stringResponse = await response.Content.ReadAsStringAsync();
+        Assert.Contains("Organization not found from identifier.", stringResponse);
+        Assert.Equal(HttpStatusCode.InternalServerError, response.StatusCode);
+    }
+
+    /*
+    * Test to verify /Account/ExternalCallback returns error when the organization ID
+    * in the auth result does not match any organization in the database.
+    * NOTE: This code path is unreachable because the SsoConfig must exist to proceed, but there is a circular dependency:
+    * - SsoConfig cannot exist without a valid Organization but the test is testing that an Organization cannot be found.
+    */
+    [Fact(Skip = "This code path is unreachable because the SsoConfig must exist to proceed. But the SsoConfig cannot exist without a valid Organization.")]
+    public async Task ExternalCallback_WithNonExistentOrganization_ReturnsError()
+    {
+        // Arrange
+        var testData = await new SsoTestDataBuilder()
+            .WithSsoConfig()
+            .WithNonExistentOrganizationInAuth()
+            .BuildAsync();
+
+        var client = testData.Factory.CreateClient();
+
+        // Act
+        var response = await client.GetAsync("/Account/ExternalCallback");
+
+        // Assert - Should fail because organization cannot be found by the ID in auth result
+        var stringResponse = await response.Content.ReadAsStringAsync();
+        Assert.Contains("Could not find organization", stringResponse);
+        Assert.Equal(HttpStatusCode.InternalServerError, response.StatusCode);
+    }
+
+    /*
+    * SUCCESS PATH: Test to verify /Account/ExternalCallback succeeds when an existing
+    * SSO-linked user logs in (user exists in SsoUser table).
+    */
+    [Fact]
+    public async Task ExternalCallback_WithExistingSsoUser_ReturnsSuccess()
+    {
+        // Arrange - User with SSO link already exists
+        var testData = await new SsoTestDataBuilder()
+            .WithSsoConfig()
+            .WithUser()
+            .WithOrganizationUser()
+            .WithSsoUser()
+            .BuildAsync();
+
+        var client = testData.Factory.CreateClient(new WebApplicationFactoryClientOptions
+        {
+            AllowAutoRedirect = false // Prevent auto-redirects to capture initial response
+        });
+
+        // Act
+        var response = await client.GetAsync("/Account/ExternalCallback");
+
+        // Assert - Should succeed and redirect
+        Assert.True(
+            response.StatusCode == HttpStatusCode.Redirect,
+            $"Expected success/redirect but got {response.StatusCode}");
+
+        Assert.NotNull(response.Headers.Location);
+    }
+
+    /*
+    * SUCCESS PATH: Test to verify /Account/ExternalCallback succeeds when JIT provisioning
+    * a new user (user doesn't exist, gets created automatically).
+    */
+    [Fact]
+    public async Task ExternalCallback_WithJitProvisioning_ReturnsSuccess()
+    {
+        // Arrange - No user, no org user - JIT provisioning will create both
+        var testData = await new SsoTestDataBuilder()
+            .WithSsoConfig()
+            .BuildAsync();
+
+        var client = testData.Factory.CreateClient(new WebApplicationFactoryClientOptions
+        {
+            AllowAutoRedirect = false // Prevent auto-redirects to capture initial response
+        });
+
+        // Act
+        var response = await client.GetAsync("/Account/ExternalCallback");
+
+        // Assert - Should succeed and redirect
+        Assert.True(
+            response.StatusCode == HttpStatusCode.Redirect,
+            $"Expected success/redirect but got {response.StatusCode}");
+
+        Assert.NotNull(response.Headers.Location);
+    }
+
+    /*
+    * SUCCESS PATH: Test to verify /Account/ExternalCallback succeeds when an existing user
+    * with a valid (Confirmed) organization user status logs in via SSO for the first time.
+    */
+    [Fact]
+    public async Task ExternalCallback_WithExistingUserAndConfirmedOrgUser_ReturnsSuccess()
+    {
+        // Arrange - Existing user with confirmed org user status, no SSO link yet
+        var testData = await new SsoTestDataBuilder()
+            .WithSsoConfig()
+            .WithUser()
+            .WithOrganizationUser(orgUser =>
+            {
+                orgUser.Status = OrganizationUserStatusType.Confirmed;
+            })
+            .BuildAsync();
+
+        var client = testData.Factory.CreateClient(new WebApplicationFactoryClientOptions
+        {
+            AllowAutoRedirect = false // Prevent auto-redirects to capture initial response
+        });
+
+        // Act
+        var response = await client.GetAsync("/Account/ExternalCallback");
+
+        // Assert - Should succeed and redirect
+        Assert.True(
+            response.StatusCode == HttpStatusCode.Redirect,
+            $"Expected success/redirect but got {response.StatusCode}");
+
+        Assert.NotNull(response.Headers.Location);
+    }
+
+    /*
+    * SUCCESS PATH: Test to verify /Account/ExternalCallback succeeds when an existing user
+    * with Accepted organization user status logs in via SSO.
+    */
+    [Fact]
+    public async Task ExternalCallback_WithExistingUserAndAcceptedOrgUser_ReturnsSuccess()
+    {
+        // Arrange - Existing user with accepted org user status
+        var testData = await new SsoTestDataBuilder()
+            .WithSsoConfig()
+            .WithUser()
+            .WithOrganizationUser(orgUser =>
+            {
+                orgUser.Status = OrganizationUserStatusType.Accepted;
+            })
+            .BuildAsync();
+
+        var client = testData.Factory.CreateClient(new WebApplicationFactoryClientOptions
+        {
+            AllowAutoRedirect = false // Prevent auto-redirects to capture initial response
+        });
+
+        // Act
+        var response = await client.GetAsync("/Account/ExternalCallback");
+
+        // Assert - Should succeed and redirect
+        Assert.True(
+            response.StatusCode == HttpStatusCode.Redirect,
+            $"Expected success/redirect but got {response.StatusCode}");
+
+        Assert.NotNull(response.Headers.Location);
+    }
+
+    /*
+    * SUCCESS PATH: Test to verify /Account/ExternalCallback returns a View with 200 status
+    * when the client is a native application (uses custom URI scheme like "bitwarden://callback").
+    * Native clients get a different response for better UX - a 200 with redirect view instead of 302.
+    * See AccountController lines 371-378.
+    */
+    [Fact]
+    public async Task ExternalCallback_WithNativeClient_ReturnsViewWith200Status()
+    {
+        // Arrange - Existing SSO user with native client context
+        var testData = await new SsoTestDataBuilder()
+            .WithSsoConfig()
+            .WithUser()
+            .WithOrganizationUser()
+            .WithSsoUser()
+            .AsNativeClient()
+            .BuildAsync();
+
+        var client = testData.Factory.CreateClient(new WebApplicationFactoryClientOptions
+        {
+            AllowAutoRedirect = false
+        });
+
+        // Act
+        var response = await client.GetAsync("/Account/ExternalCallback");
+
+        // Assert - Native clients get 200 status with a redirect view instead of 302
+        Assert.Equal(HttpStatusCode.OK, response.StatusCode);
+
+        // The Location header should be empty for native clients (set in controller)
+        // and the response should contain the redirect view
+        var content = await response.Content.ReadAsStringAsync();
+        Assert.NotEmpty(content); // View content should be present
+    }
+}
--- a/bitwarden_license/test/Sso.IntegrationTest/Properties/launchSettings.json
+++ b/bitwarden_license/test/Sso.IntegrationTest/Properties/launchSettings.json
@ -0,0 +1,12 @@
+{
+  "profiles": {
+    "Sso.IntegrationTest": {
+      "commandName": "Project",
+      "launchBrowser": true,
+      "environmentVariables": {
+        "ASPNETCORE_ENVIRONMENT": "Development"
+      },
+      "applicationUrl": "https://localhost:59973;http://localhost:59974"
+    }
+  }
+}
--- a/bitwarden_license/test/Sso.IntegrationTest/Sso.IntegrationTest.csproj
+++ b/bitwarden_license/test/Sso.IntegrationTest/Sso.IntegrationTest.csproj
@ -0,0 +1,41 @@
+<Project Sdk="Microsoft.NET.Sdk.Web">
+
+  <PropertyGroup>
+    <TargetFramework>net8.0</TargetFramework>
+    <ImplicitUsings>enable</ImplicitUsings>
+    <Nullable>enable</Nullable>
+
+    <IsPackable>false</IsPackable>
+    <IsTestProject>true</IsTestProject>
+  </PropertyGroup>
+
+  <ItemGroup>
+    <PackageReference Include="coverlet.collector" Version="$(CoverletCollectorVersion)">
+      <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
+      <PrivateAssets>all</PrivateAssets>
+    </PackageReference>
+    <PackageReference Include="Microsoft.AspNetCore.Mvc.Testing" Version="8.0.10" />
+    <PackageReference Include="Microsoft.NET.Test.Sdk" Version="$(MicrosoftNetTestSdkVersion)" />
+    <PackageReference Include="NSubstitute" Version="$(NSubstituteVersion)" />
+    <PackageReference Include="xunit" Version="$(XUnitVersion)" />
+    <PackageReference Include="xunit.runner.visualstudio" Version="$(XUnitRunnerVisualStudioVersion)">
+      <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
+      <PrivateAssets>all</PrivateAssets>
+    </PackageReference>
+    <PackageReference Include="AutoFixture.Xunit2" Version="$(AutoFixtureXUnit2Version)" />
+  </ItemGroup>
+
+  <ItemGroup>
+    <ProjectReference Include="..\..\src\Sso\Sso.csproj" />
+    <ProjectReference Include="..\..\..\test\Common\Common.csproj" />
+    <ProjectReference Include="..\..\..\test\IntegrationTestCommon\IntegrationTestCommon.csproj" />
+  </ItemGroup>
+  <ItemGroup>
+    <Content Update="Properties\launchSettings.json">
+      <ExcludeFromSingleFile>true</ExcludeFromSingleFile>
+      <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
+      <CopyToPublishDirectory>Never</CopyToPublishDirectory>
+    </Content>
+  </ItemGroup>
+
+</Project>
--- a/bitwarden_license/test/Sso.IntegrationTest/Utilities/SsoApplicationFactory.cs
+++ b/bitwarden_license/test/Sso.IntegrationTest/Utilities/SsoApplicationFactory.cs
@ -0,0 +1,11 @@
+using Bit.IntegrationTestCommon.Factories;
+
+namespace Bit.Sso.IntegrationTest.Utilities;
+
+public class SsoApplicationFactory : WebApplicationFactoryBase<Startup>
+{
+    protected override void ConfigureWebHost(IWebHostBuilder builder)
+    {
+        base.ConfigureWebHost(builder);
+    }
+}
--- a/bitwarden_license/test/Sso.IntegrationTest/Utilities/SsoTestDataBuilder.cs
+++ b/bitwarden_license/test/Sso.IntegrationTest/Utilities/SsoTestDataBuilder.cs
@ -0,0 +1,327 @@
+using Bit.Core.AdminConsole.Entities;
+using Bit.Core.Auth.Entities;
+using Bit.Core.Auth.Models.Data;
+using Bit.Core.Auth.Repositories;
+using Bit.Core.Entities;
+using Bit.Core.Enums;
+using Bit.Core.Repositories;
+using Bit.Core.Settings;
+using Bitwarden.License.Test.Sso.IntegrationTest.Utilities;
+using Duende.IdentityServer.Models;
+using Duende.IdentityServer.Services;
+using Microsoft.AspNetCore.Authentication;
+using NSubstitute;
+using AuthenticationSchemes = Bit.Core.AuthenticationSchemes;
+
+namespace Bit.Sso.IntegrationTest.Utilities;
+
+/// <summary>
+/// Contains the factory and all entities created by <see cref="SsoTestDataBuilder"/> for use in integration tests.
+/// </summary>
+public record SsoTestData(
+    SsoApplicationFactory Factory,
+    Organization? Organization,
+    User? User,
+    OrganizationUser? OrganizationUser,
+    SsoConfig? SsoConfig,
+    SsoUser? SsoUser);
+
+/// <summary>
+/// Builder for creating SSO test data with seeded database entities.
+/// </summary>
+public class SsoTestDataBuilder
+{
+    /// <summary>
+    /// This UserIdentifier is a mock for the UserIdentifier we get from the External Identity Provider.
+    /// </summary>
+    private string? _userIdentifier;
+    private Action<Organization>? _organizationConfig;
+    private Action<User>? _userConfig;
+    private Action<OrganizationUser>? _orgUserConfig;
+    private Action<SsoConfig>? _ssoConfigConfig;
+    private Action<SsoUser>? _ssoUserConfig;
+    private Action<SsoApplicationFactory>? _featureFlagConfig;
+
+    private bool _includeUser = false;
+    private bool _includeSsoUser = false;
+    private bool _includeOrganizationUser = false;
+    private bool _includeSsoConfig = false;
+    private bool _successfulAuth = true;
+    private bool _withNullEmail = false;
+    private bool _isSelfHosted = false;
+    private bool _includeProviderUserId = true;
+    private bool _useNonExistentOrgInAuth = false;
+    private bool _isNativeClient = false;
+
+    public SsoTestDataBuilder WithOrganization(Action<Organization> configure)
+    {
+        _organizationConfig = configure;
+        return this;
+    }
+
+    public SsoTestDataBuilder WithUser(Action<User>? configure = null)
+    {
+        _includeUser = true;
+        _userConfig = configure;
+        return this;
+    }
+
+    public SsoTestDataBuilder WithOrganizationUser(Action<OrganizationUser>? configure = null)
+    {
+        _includeOrganizationUser = true;
+        _orgUserConfig = configure;
+        return this;
+    }
+
+    public SsoTestDataBuilder WithSsoConfig(Action<SsoConfig>? configure = null)
+    {
+        _includeSsoConfig = true;
+        _ssoConfigConfig = configure;
+        return this;
+    }
+
+    public SsoTestDataBuilder WithSsoUser(Action<SsoUser>? configure = null)
+    {
+        _includeSsoUser = true;
+        _ssoUserConfig = configure;
+        return this;
+    }
+
+    public SsoTestDataBuilder WithFeatureFlags(Action<SsoApplicationFactory> configure)
+    {
+        _featureFlagConfig = configure;
+        return this;
+    }
+
+    public SsoTestDataBuilder WithFailedAuthentication()
+    {
+        _successfulAuth = false;
+        return this;
+    }
+
+    public SsoTestDataBuilder WithNullEmail()
+    {
+        _withNullEmail = true;
+        return this;
+    }
+
+    public SsoTestDataBuilder WithUserIdentifier(string userIdentifier)
+    {
+        _userIdentifier = userIdentifier;
+        return this;
+    }
+
+    public SsoTestDataBuilder OmitProviderUserId()
+    {
+        _includeProviderUserId = false;
+        return this;
+    }
+
+    public SsoTestDataBuilder AsSelfHosted()
+    {
+        _isSelfHosted = true;
+        return this;
+    }
+
+    /// <summary>
+    /// Causes the auth result to use a different (non-existent) organization ID than what is seeded
+    /// in the database. This simulates the "organization not found" scenario.
+    /// </summary>
+    public SsoTestDataBuilder WithNonExistentOrganizationInAuth()
+    {
+        _useNonExistentOrgInAuth = true;
+        return this;
+    }
+
+    /// <summary>
+    /// Configures the test to simulate a native client (non-browser) OIDC flow.
+    /// Native clients use custom URI schemes (e.g., "bitwarden://callback") instead of http/https.
+    /// This causes ExternalCallback to return a View with 200 status instead of a redirect.
+    /// </summary>
+    public SsoTestDataBuilder AsNativeClient()
+    {
+        _isNativeClient = true;
+        return this;
+    }
+
+    public async Task<SsoTestData> BuildAsync()
+    {
+        // Create factory
+        var factory = new SsoApplicationFactory();
+
+        // Pre-generate IDs and values needed for auth mock (before accessing Services)
+        var organizationId = Guid.NewGuid();
+        // Use a different org ID in auth if testing "organization not found" scenario
+        var authOrganizationId = _useNonExistentOrgInAuth ? Guid.NewGuid() : organizationId;
+        var providerUserId = _includeProviderUserId ? Guid.NewGuid().ToString() : "";
+        var userEmail = _withNullEmail ? null : $"user_{Guid.NewGuid()}@test.com";
+        var userName = "TestUser";
+
+        // 1. Configure mocked authentication service BEFORE accessing Services
+        factory.SubstituteService<IAuthenticationService>(authService =>
+        {
+            if (_successfulAuth)
+            {
+                authService.AuthenticateAsync(
+                        Arg.Any<HttpContext>(),
+                        AuthenticationSchemes.BitwardenExternalCookieAuthenticationScheme)
+                    .Returns(MockSuccessfulAuthResult.Build(
+                        authOrganizationId,
+                        providerUserId,
+                        userEmail,
+                        userName,
+                        acrValue: null,
+                        _userIdentifier));
+            }
+            else
+            {
+                authService.AuthenticateAsync(
+                        Arg.Any<HttpContext>(),
+                        AuthenticationSchemes.BitwardenExternalCookieAuthenticationScheme)
+                    .Returns(AuthenticateResult.Fail("External authentication error"));
+            }
+        });
+
+        // 1.a Configure GlobalSettings for Self-Hosted and seat limit
+        factory.SubstituteService<IGlobalSettings>(globalSettings =>
+        {
+            globalSettings.SelfHosted.Returns(_isSelfHosted);
+        });
+
+        // 1.b configure setting feature flags
+        _featureFlagConfig?.Invoke(factory);
+
+        // 1.c Configure IIdentityServerInteractionService for native client flow
+        if (_isNativeClient)
+        {
+            factory.SubstituteService<IIdentityServerInteractionService>(interaction =>
+            {
+                // Native clients have redirect URIs that don't start with http/https
+                // e.g., "bitwarden://callback" or "com.bitwarden.app://callback"
+                var authorizationRequest = new AuthorizationRequest
+                {
+                    RedirectUri = "bitwarden://sso-callback"
+                };
+                interaction.GetAuthorizationContextAsync(Arg.Any<string>())
+                    .Returns(authorizationRequest);
+            });
+        }
+
+        if (!_successfulAuth)
+        {
+            return new SsoTestData(factory, null!, null!, null!, null!, null!);
+        }
+
+        // 2. Create Organization with defaults (using pre-generated ID)
+        var organization = new Organization
+        {
+            Id = organizationId,
+            Name = "Test Organization",
+            BillingEmail = "billing@test.com",
+            Plan = "Enterprise",
+            Enabled = true,
+            UseSso = true
+        };
+        _organizationConfig?.Invoke(organization);
+
+        var orgRepo = factory.Services.GetRequiredService<IOrganizationRepository>();
+        organization = await orgRepo.CreateAsync(organization);
+
+        // 3. Create User with defaults (using pre-generated values)
+        User? user = null;
+        if (_includeUser)
+        {
+            user = new User
+            {
+                Email = userEmail ?? $"email_{Guid.NewGuid()}@test.dev",
+                Name = userName,
+                ApiKey = Guid.NewGuid().ToString(),
+                SecurityStamp = Guid.NewGuid().ToString()
+            };
+            _userConfig?.Invoke(user);
+
+            var userRepo = factory.Services.GetRequiredService<IUserRepository>();
+            user = await userRepo.CreateAsync(user);
+        }
+
+        // 4. Create OrganizationUser linking them
+        OrganizationUser? orgUser = null;
+        if (_includeOrganizationUser)
+        {
+            orgUser = new OrganizationUser
+            {
+                OrganizationId = organization.Id,
+                UserId = user!.Id,
+                Status = OrganizationUserStatusType.Confirmed,
+                Type = OrganizationUserType.User
+            };
+            _orgUserConfig?.Invoke(orgUser);
+
+            var orgUserRepo = factory.Services.GetRequiredService<IOrganizationUserRepository>();
+            orgUser = await orgUserRepo.CreateAsync(orgUser);
+        }
+
+        // 4.a Create many OrganizationUser to test seat count logic
+        if (organization.Seats > 1)
+        {
+            var orgUserRepo = factory.Services.GetRequiredService<IOrganizationUserRepository>();
+            var userRepo = factory.Services.GetRequiredService<IUserRepository>();
+            var additionalOrgUsers = new List<OrganizationUser>();
+            for (var i = 1; i <= organization.Seats; i++)
+            {
+                var additionalUser = new User
+                {
+                    Email = $"additional_user_{i}_{Guid.NewGuid()}@test.dev",
+                    Name = $"AdditionalUser{i}",
+                    ApiKey = Guid.NewGuid().ToString(),
+                    SecurityStamp = Guid.NewGuid().ToString()
+                };
+                var createdAdditionalUser = await userRepo.CreateAsync(additionalUser);
+
+                var additionalOrgUser = new OrganizationUser
+                {
+                    OrganizationId = organization.Id,
+                    UserId = createdAdditionalUser.Id,
+                    Status = OrganizationUserStatusType.Confirmed,
+                    Type = OrganizationUserType.User
+                };
+                additionalOrgUsers.Add(additionalOrgUser);
+            }
+            await orgUserRepo.CreateManyAsync(additionalOrgUsers);
+        }
+
+        // 5. Create SsoConfig, if ssoConfigConfig is not null
+        SsoConfig? ssoConfig = null;
+        if (_includeSsoConfig)
+        {
+            ssoConfig = new SsoConfig
+            {
+                OrganizationId = authOrganizationId,
+                Enabled = true
+            };
+            ssoConfig.SetData(new SsoConfigurationData());
+            _ssoConfigConfig?.Invoke(ssoConfig);
+
+            var ssoConfigRepo = factory.Services.GetRequiredService<ISsoConfigRepository>();
+            ssoConfig = await ssoConfigRepo.CreateAsync(ssoConfig);
+        }
+
+        // 6. Optionally create SsoUser (using pre-generated providerUserId as ExternalId)
+        SsoUser? ssoUser = null;
+        if (_includeSsoUser)
+        {
+            ssoUser = new SsoUser
+            {
+                OrganizationId = organization.Id,
+                UserId = user!.Id,
+                ExternalId = providerUserId
+            };
+            _ssoUserConfig?.Invoke(ssoUser);
+
+            var ssoUserRepo = factory.Services.GetRequiredService<ISsoUserRepository>();
+            ssoUser = await ssoUserRepo.CreateAsync(ssoUser);
+        }
+
+        return new SsoTestData(factory, organization, user, orgUser, ssoConfig, ssoUser);
+    }
+}
--- a/bitwarden_license/test/Sso.IntegrationTest/Utilities/SuccessfulAuthResult.cs
+++ b/bitwarden_license/test/Sso.IntegrationTest/Utilities/SuccessfulAuthResult.cs
@ -0,0 +1,88 @@
+using System.Security.Claims;
+using Bit.Core;
+using Duende.IdentityModel;
+using Microsoft.AspNetCore.Authentication;
+
+namespace Bitwarden.License.Test.Sso.IntegrationTest.Utilities;
+
+/// <summary>
+/// Creates a mock for use in tests requiring a valid external authentication result.
+/// </summary>
+internal static class MockSuccessfulAuthResult
+{
+    /// <summary>
+    /// Since this tests the external Authentication flow, only the OrganizationId is strictly required.
+    /// However, some tests may require additional claims to be present, so they can be optionally added.
+    /// </summary>
+    /// <param name="organizationId"></param>
+    /// <param name="providerUserId"></param>
+    /// <param name="email"></param>
+    /// <param name="name"></param>
+    /// <param name="acrValue"></param>
+    /// <param name="userIdentifier"></param>
+    /// <returns></returns>
+    public static AuthenticateResult Build(
+            Guid organizationId,
+            string? providerUserId,
+            string? email,
+            string? name = null,
+            string? acrValue = null,
+            string? userIdentifier = null)
+    {
+        return Build(organizationId.ToString(), providerUserId, email, name, acrValue, userIdentifier);
+    }
+
+    /// <summary>
+    /// Overload that accepts a custom scheme string. Useful for testing invalid provider scenarios
+    /// where the scheme is not a valid GUID.
+    /// </summary>
+    public static AuthenticateResult Build(
+            string scheme,
+            string? providerUserId,
+            string? email,
+            string? name = null,
+            string? acrValue = null,
+            string? userIdentifier = null)
+    {
+        var claims = new List<Claim>();
+
+        if (!string.IsNullOrEmpty(email))
+        {
+            claims.Add(new Claim(JwtClaimTypes.Email, email));
+        }
+
+        if (!string.IsNullOrEmpty(providerUserId))
+        {
+            claims.Add(new Claim(JwtClaimTypes.Subject, providerUserId));
+        }
+
+        if (!string.IsNullOrEmpty(name))
+        {
+            claims.Add(new Claim(JwtClaimTypes.Name, name));
+        }
+
+        if (!string.IsNullOrEmpty(acrValue))
+        {
+            claims.Add(new Claim(JwtClaimTypes.AuthenticationContextClassReference, acrValue));
+        }
+
+        var principal = new ClaimsPrincipal(new ClaimsIdentity(claims, "External"));
+        var properties = new AuthenticationProperties
+        {
+            Items =
+            {
+                ["scheme"] = scheme,
+                ["return_url"] = "~/",
+                ["state"] = "test-state",
+                ["user_identifier"] = userIdentifier ?? string.Empty
+            }
+        };
+
+        var ticket = new AuthenticationTicket(
+            principal,
+            properties,
+            AuthenticationSchemes.BitwardenExternalCookieAuthenticationScheme);
+
+        return AuthenticateResult.Success(ticket);
+    }
+}
--- a/dev/docker-compose.yml
+++ b/dev/docker-compose.yml
@ -99,7 +99,7 @@ services:
      - idp

  rabbitmq:
-    image: rabbitmq:4.1.3-management
+    image: rabbitmq:4.2.0-management
    ports:
      - "5672:5672"
      - "15672:15672"
--- a/dev/generate_openapi_files.ps1
+++ b/dev/generate_openapi_files.ps1
@ -18,11 +18,11 @@ if ($LASTEXITCODE -ne 0) {
 # Api internal & public
 Set-Location "../../src/Api"
 dotnet build
-dotnet swagger tofile --output "../../api.json" --host "https://api.bitwarden.com" "./bin/Debug/net8.0/Api.dll" "internal"
+dotnet swagger tofile --output "../../api.json" "./bin/Debug/net8.0/Api.dll" "internal"
 if ($LASTEXITCODE -ne 0) {
    exit $LASTEXITCODE
 }
-dotnet swagger tofile --output "../../api.public.json" --host "https://api.bitwarden.com" "./bin/Debug/net8.0/Api.dll" "public"
+dotnet swagger tofile --output "../../api.public.json" "./bin/Debug/net8.0/Api.dll" "public"
 if ($LASTEXITCODE -ne 0) {
    exit $LASTEXITCODE
 }
--- a/dev/secrets.json.example
+++ b/dev/secrets.json.example
@ -33,6 +33,10 @@
      "id": "<your Installation Id>",
      "key": "<your Installation Key>"
    },
+    "events": {
+      "connectionString": "",
+      "queueName": "event"
+    },
    "licenseDirectory": "<full path to license directory>",
    "enableNewDeviceVerification": true,
    "enableEmailVerification": true
--- a/dev/verify_migrations.ps1
+++ b/dev/verify_migrations.ps1
@ -0,0 +1,132 @@
+#!/usr/bin/env pwsh
+
+<#
+.SYNOPSIS
+    Validates that new database migration files follow naming conventions and chronological order.
+
+.DESCRIPTION
+    This script validates migration files in util/Migrator/DbScripts/ to ensure:
+    1. New migrations follow the naming format: YYYY-MM-DD_NN_Description.sql
+    2. New migrations are chronologically ordered (filename sorts after existing migrations)
+    3. Dates use leading zeros (e.g., 2025-01-05, not 2025-1-5)
+    4. A 2-digit sequence number is included (e.g., _00, _01)
+
+.PARAMETER BaseRef
+    The base git reference to compare against (e.g., 'main', 'HEAD~1')
+
+.PARAMETER CurrentRef
+    The current git reference (defaults to 'HEAD')
+
+.EXAMPLE
+    # For pull requests - compare against main branch
+    .\verify_migrations.ps1 -BaseRef main
+
+.EXAMPLE
+    # For pushes - compare against previous commit
+    .\verify_migrations.ps1 -BaseRef HEAD~1
+#>
+
+param(
+    [Parameter(Mandatory = $true)]
+    [string]$BaseRef,
+
+    [Parameter(Mandatory = $false)]
+    [string]$CurrentRef = "HEAD"
+)
+
+# Use invariant culture for consistent string comparison
+[System.Threading.Thread]::CurrentThread.CurrentCulture = [System.Globalization.CultureInfo]::InvariantCulture
+
+$migrationPath = "util/Migrator/DbScripts"
+
+# Get list of migrations from base reference
+try {
+    $baseMigrations = git ls-tree -r --name-only $BaseRef -- "$migrationPath/" 2>$null | Where-Object { $_ -like "*.sql" } | Sort-Object
+    if ($LASTEXITCODE -ne 0) {
+        Write-Host "Warning: Could not retrieve migrations from base reference '$BaseRef'"
+        $baseMigrations = @()
+    }
+}
+catch {
+    Write-Host "Warning: Could not retrieve migrations from base reference '$BaseRef'"
+    $baseMigrations = @()
+}
+
+# Get list of migrations from current reference
+$currentMigrations = git ls-tree -r --name-only $CurrentRef -- "$migrationPath/" | Where-Object { $_ -like "*.sql" } | Sort-Object
+
+# Find added migrations
+$addedMigrations = $currentMigrations | Where-Object { $_ -notin $baseMigrations }
+
+if ($addedMigrations.Count -eq 0) {
+    Write-Host "No new migration files added."
+    exit 0
+}
+
+Write-Host "New migration files detected:"
+$addedMigrations | ForEach-Object { Write-Host "  $_" }
+Write-Host ""
+
+# Get the last migration from base reference
+if ($baseMigrations.Count -eq 0) {
+    Write-Host "No previous migrations found (initial commit?). Skipping validation."
+    exit 0
+}
+
+$lastBaseMigration = Split-Path -Leaf ($baseMigrations | Select-Object -Last 1)
+Write-Host "Last migration in base reference: $lastBaseMigration"
+Write-Host ""
+
+# Required format regex: YYYY-MM-DD_NN_Description.sql
+$formatRegex = '^[0-9]{4}-[0-9]{2}-[0-9]{2}_[0-9]{2}_.+\.sql$'
+
+$validationFailed = $false
+
+foreach ($migration in $addedMigrations) {
+    $migrationName = Split-Path -Leaf $migration
+
+    # Validate NEW migration filename format
+    if ($migrationName -notmatch $formatRegex) {
+        Write-Host "ERROR: Migration '$migrationName' does not match required format"
+        Write-Host "Required format: YYYY-MM-DD_NN_Description.sql"
+        Write-Host "  - YYYY: 4-digit year"
+        Write-Host "  - MM: 2-digit month with leading zero (01-12)"
+        Write-Host "  - DD: 2-digit day with leading zero (01-31)"
+        Write-Host "  - NN: 2-digit sequence number (00, 01, 02, etc.)"
+        Write-Host "Example: 2025-01-15_00_MyMigration.sql"
+        $validationFailed = $true
+        continue
+    }
+
+    # Compare migration name with last base migration (using ordinal string comparison)
+    if ([string]::CompareOrdinal($migrationName, $lastBaseMigration) -lt 0) {
+        Write-Host "ERROR: New migration '$migrationName' is not chronologically after '$lastBaseMigration'"
+        $validationFailed = $true
+    }
+    else {
+        Write-Host "OK: '$migrationName' is chronologically after '$lastBaseMigration'"
+    }
+}
+
+Write-Host ""
+
+if ($validationFailed) {
+    Write-Host "FAILED: One or more migrations are incorrectly named or not in chronological order"
+    Write-Host ""
+    Write-Host "All new migration files must:"
+    Write-Host "  1. Follow the naming format: YYYY-MM-DD_NN_Description.sql"
+    Write-Host "  2. Use leading zeros in dates (e.g., 2025-01-05, not 2025-1-5)"
+    Write-Host "  3. Include a 2-digit sequence number (e.g., _00, _01)"
+    Write-Host "  4. Have a filename that sorts after the last migration in base"
+    Write-Host ""
+    Write-Host "To fix this issue:"
+    Write-Host "  1. Locate your migration file(s) in util/Migrator/DbScripts/"
+    Write-Host "  2. Rename to follow format: YYYY-MM-DD_NN_Description.sql"
+    Write-Host "  3. Ensure the date is after $lastBaseMigration"
+    Write-Host ""
+    Write-Host "Example: 2025-01-15_00_AddNewFeature.sql"
+    exit 1
+}
+
+Write-Host "SUCCESS: All new migrations are correctly named and in chronological order"
+exit 0
--- a/global.json
+++ b/global.json
@ -5,6 +5,7 @@
  },
  "msbuild-sdks": {
    "Microsoft.Build.Traversal": "4.1.0",
-    "Microsoft.Build.Sql": "1.0.0"
+    "Microsoft.Build.Sql": "1.0.0",
+    "Bitwarden.Server.Sdk": "1.2.0"
  }
 }
--- a/src/Admin/AdminConsole/Controllers/OrganizationsController.cs
+++ b/src/Admin/AdminConsole/Controllers/OrganizationsController.cs
@ -14,8 +14,10 @@ using Bit.Core.AdminConsole.Providers.Interfaces;
 using Bit.Core.AdminConsole.Repositories;
 using Bit.Core.Billing.Enums;
 using Bit.Core.Billing.Extensions;
+using Bit.Core.Billing.Organizations.Services;
 using Bit.Core.Billing.Pricing;
 using Bit.Core.Billing.Providers.Services;
+using Bit.Core.Billing.Services;
 using Bit.Core.Enums;
 using Bit.Core.Models.OrganizationConnectionConfigs;
 using Bit.Core.OrganizationFeatures.OrganizationSponsorships.FamiliesForEnterprise.Interfaces;
@ -41,7 +43,7 @@ public class OrganizationsController : Controller
    private readonly ICollectionRepository _collectionRepository;
    private readonly IGroupRepository _groupRepository;
    private readonly IPolicyRepository _policyRepository;
-    private readonly IPaymentService _paymentService;
+    private readonly IStripePaymentService _paymentService;
    private readonly IApplicationCacheService _applicationCacheService;
    private readonly GlobalSettings _globalSettings;
    private readonly IProviderRepository _providerRepository;
@ -56,6 +58,7 @@ public class OrganizationsController : Controller
    private readonly IOrganizationInitiateDeleteCommand _organizationInitiateDeleteCommand;
    private readonly IPricingClient _pricingClient;
    private readonly IResendOrganizationInviteCommand _resendOrganizationInviteCommand;
+    private readonly IOrganizationBillingService _organizationBillingService;

    public OrganizationsController(
        IOrganizationRepository organizationRepository,
@ -66,7 +69,7 @@ public class OrganizationsController : Controller
        ICollectionRepository collectionRepository,
        IGroupRepository groupRepository,
        IPolicyRepository policyRepository,
-        IPaymentService paymentService,
+        IStripePaymentService paymentService,
        IApplicationCacheService applicationCacheService,
        GlobalSettings globalSettings,
        IProviderRepository providerRepository,
@ -80,7 +83,8 @@ public class OrganizationsController : Controller
        IProviderBillingService providerBillingService,
        IOrganizationInitiateDeleteCommand organizationInitiateDeleteCommand,
        IPricingClient pricingClient,
-        IResendOrganizationInviteCommand resendOrganizationInviteCommand)
+        IResendOrganizationInviteCommand resendOrganizationInviteCommand,
+        IOrganizationBillingService organizationBillingService)
    {
        _organizationRepository = organizationRepository;
        _organizationUserRepository = organizationUserRepository;
@ -105,6 +109,7 @@ public class OrganizationsController : Controller
        _organizationInitiateDeleteCommand = organizationInitiateDeleteCommand;
        _pricingClient = pricingClient;
        _resendOrganizationInviteCommand = resendOrganizationInviteCommand;
+        _organizationBillingService = organizationBillingService;
    }

    [RequirePermission(Permission.Org_List_View)]
@ -241,6 +246,8 @@ public class OrganizationsController : Controller
        var existingOrganizationData = new Organization
        {
            Id = organization.Id,
+            Name = organization.Name,
+            BillingEmail = organization.BillingEmail,
            Status = organization.Status,
            PlanType = organization.PlanType,
            Seats = organization.Seats
@ -286,6 +293,22 @@ public class OrganizationsController : Controller

        await _applicationCacheService.UpsertOrganizationAbilityAsync(organization);

+        // Sync name/email changes to Stripe
+        if (existingOrganizationData.Name != organization.Name || existingOrganizationData.BillingEmail != organization.BillingEmail)
+        {
+            try
+            {
+                await _organizationBillingService.UpdateOrganizationNameAndEmail(organization);
+            }
+            catch (Exception ex)
+            {
+                _logger.LogError(ex,
+                    "Failed to update Stripe customer for organization {OrganizationId}. Database was updated successfully.",
+                    organization.Id);
+                TempData["Warning"] = "Organization updated successfully, but Stripe customer name/email synchronization failed.";
+            }
+        }
+
        return RedirectToAction("Edit", new { id });
    }

@ -473,6 +496,8 @@ public class OrganizationsController : Controller
            organization.UseOrganizationDomains = model.UseOrganizationDomains;
            organization.UseAdminSponsoredFamilies = model.UseAdminSponsoredFamilies;
            organization.UseAutomaticUserConfirmation = model.UseAutomaticUserConfirmation;
+            organization.UseDisableSmAdsForUsers = model.UseDisableSmAdsForUsers;
+            organization.UsePhishingBlocker = model.UsePhishingBlocker;

            //secrets
            organization.SmSeats = model.SmSeats;
--- a/src/Admin/AdminConsole/Controllers/ProvidersController.cs
+++ b/src/Admin/AdminConsole/Controllers/ProvidersController.cs
@ -56,6 +56,7 @@ public class ProvidersController : Controller
    private readonly IStripeAdapter _stripeAdapter;
    private readonly IAccessControlService _accessControlService;
    private readonly ISubscriberService _subscriberService;
+    private readonly ILogger<ProvidersController> _logger;

    public ProvidersController(IOrganizationRepository organizationRepository,
        IResellerClientOrganizationSignUpCommand resellerClientOrganizationSignUpCommand,
@ -72,7 +73,8 @@ public class ProvidersController : Controller
        IPricingClient pricingClient,
        IStripeAdapter stripeAdapter,
        IAccessControlService accessControlService,
-        ISubscriberService subscriberService)
+        ISubscriberService subscriberService,
+        ILogger<ProvidersController> logger)
    {
        _organizationRepository = organizationRepository;
        _resellerClientOrganizationSignUpCommand = resellerClientOrganizationSignUpCommand;
@ -92,6 +94,7 @@ public class ProvidersController : Controller
        _braintreeMerchantUrl = webHostEnvironment.GetBraintreeMerchantUrl();
        _braintreeMerchantId = globalSettings.Braintree.MerchantId;
        _subscriberService = subscriberService;
+        _logger = logger;
    }

    [RequirePermission(Permission.Provider_List_View)]
@ -296,6 +299,9 @@ public class ProvidersController : Controller

        var originalProviderStatus = provider.Enabled;

+        // Capture original billing email before modifications for Stripe sync
+        var originalBillingEmail = provider.BillingEmail;
+
        model.ToProvider(provider);

        // validate the stripe ids to prevent saving a bad one
@ -321,6 +327,22 @@ public class ProvidersController : Controller
        await _providerService.UpdateAsync(provider);
        await _applicationCacheService.UpsertProviderAbilityAsync(provider);

+        // Sync billing email changes to Stripe
+        if (!string.IsNullOrEmpty(provider.GatewayCustomerId) && originalBillingEmail != provider.BillingEmail)
+        {
+            try
+            {
+                await _providerBillingService.UpdateProviderNameAndEmail(provider);
+            }
+            catch (Exception ex)
+            {
+                _logger.LogError(ex,
+                    "Failed to update Stripe customer for provider {ProviderId}. Database was updated successfully.",
+                    provider.Id);
+                TempData["Warning"] = "Provider updated successfully, but Stripe customer email synchronization failed.";
+            }
+        }
+
        if (!provider.IsBillable())
        {
            return RedirectToAction("Edit", new { id });
@ -339,11 +361,11 @@ public class ProvidersController : Controller
                    ]);
                await _providerBillingService.UpdateSeatMinimums(updateMspSeatMinimumsCommand);

-                var customer = await _stripeAdapter.CustomerGetAsync(provider.GatewayCustomerId);
+                var customer = await _stripeAdapter.GetCustomerAsync(provider.GatewayCustomerId);
                if (model.PayByInvoice != customer.ApprovedToPayByInvoice())
                {
                    var approvedToPayByInvoice = model.PayByInvoice ? "1" : "0";
-                    await _stripeAdapter.CustomerUpdateAsync(customer.Id, new CustomerUpdateOptions
+                    await _stripeAdapter.UpdateCustomerAsync(customer.Id, new CustomerUpdateOptions
                    {
                        Metadata = new Dictionary<string, string>
                        {
--- a/src/Admin/AdminConsole/Models/OrganizationEditModel.cs
+++ b/src/Admin/AdminConsole/Models/OrganizationEditModel.cs
@ -107,6 +107,8 @@ public class OrganizationEditModel : OrganizationViewModel
        MaxAutoscaleSmServiceAccounts = org.MaxAutoscaleSmServiceAccounts;
        UseOrganizationDomains = org.UseOrganizationDomains;
        UseAutomaticUserConfirmation = org.UseAutomaticUserConfirmation;
+        UseDisableSmAdsForUsers = org.UseDisableSmAdsForUsers;
+        UsePhishingBlocker = org.UsePhishingBlocker;

        _plans = plans;
    }
@ -160,6 +162,8 @@ public class OrganizationEditModel : OrganizationViewModel
    public new bool UseSecretsManager { get; set; }
    [Display(Name = "Risk Insights")]
    public new bool UseRiskInsights { get; set; }
+    [Display(Name = "Phishing Blocker")]
+    public new bool UsePhishingBlocker { get; set; }
    [Display(Name = "Admin Sponsored Families")]
    public bool UseAdminSponsoredFamilies { get; set; }
    [Display(Name = "Self Host")]
@ -193,6 +197,8 @@ public class OrganizationEditModel : OrganizationViewModel
    public int? MaxAutoscaleSmServiceAccounts { get; set; }
    [Display(Name = "Use Organization Domains")]
    public bool UseOrganizationDomains { get; set; }
+    [Display(Name = "Disable SM Ads For Users")]
+    public new bool UseDisableSmAdsForUsers { get; set; }

    [Display(Name = "Automatic User Confirmation")]
    public bool UseAutomaticUserConfirmation { get; set; }
@ -327,6 +333,8 @@ public class OrganizationEditModel : OrganizationViewModel
        existingOrganization.SmServiceAccounts = SmServiceAccounts;
        existingOrganization.MaxAutoscaleSmServiceAccounts = MaxAutoscaleSmServiceAccounts;
        existingOrganization.UseOrganizationDomains = UseOrganizationDomains;
+        existingOrganization.UseDisableSmAdsForUsers = UseDisableSmAdsForUsers;
+        existingOrganization.UsePhishingBlocker = UsePhishingBlocker;
        return existingOrganization;
    }
 }
--- a/src/Admin/AdminConsole/Models/OrganizationViewModel.cs
+++ b/src/Admin/AdminConsole/Models/OrganizationViewModel.cs
@ -75,6 +75,8 @@ public class OrganizationViewModel
    public int OccupiedSmSeatsCount { get; set; }
    public bool UseSecretsManager => Organization.UseSecretsManager;
    public bool UseRiskInsights => Organization.UseRiskInsights;
+    public bool UsePhishingBlocker => Organization.UsePhishingBlocker;
+    public bool UseDisableSmAdsForUsers => Organization.UseDisableSmAdsForUsers;
    public IEnumerable<OrganizationUserUserDetails> OwnersDetails { get; set; }
    public IEnumerable<OrganizationUserUserDetails> AdminsDetails { get; set; }
 }
--- a/src/Admin/AdminConsole/Views/Shared/_OrganizationForm.cshtml
+++ b/src/Admin/AdminConsole/Views/Shared/_OrganizationForm.cshtml
@ -156,6 +156,10 @@
                    <input type="checkbox" class="form-check-input" asp-for="UseAdminSponsoredFamilies" disabled='@(canEditPlan ? null : "disabled")'>
                    <label class="form-check-label" asp-for="UseAdminSponsoredFamilies"></label>
                </div>
+                <div class="form-check">
+                    <input type="checkbox" class="form-check-input" asp-for="UsePhishingBlocker" disabled='@(canEditPlan ? null : "disabled")'>
+                    <label class="form-check-label" asp-for="UsePhishingBlocker"></label>
+                </div>
                @if(FeatureService.IsEnabled(FeatureFlagKeys.AutomaticConfirmUsers))
                {
                    <div class="form-check">
@ -181,6 +185,13 @@
                    <input type="checkbox" class="form-check-input" asp-for="UseSecretsManager" disabled='@(canEditPlan ? null : "disabled")'>
                    <label class="form-check-label" asp-for="UseSecretsManager"></label>
                </div>
+                @if (FeatureService.IsEnabled(FeatureFlagKeys.SM1719_RemoveSecretsManagerAds))
+                {
+                    <div class="form-check">
+                        <input type="checkbox" class="form-check-input" asp-for="UseDisableSmAdsForUsers" disabled='@(canEditPlan ? null : "disabled")'>
+                        <label class="form-check-label" asp-for="UseDisableSmAdsForUsers"></label>
+                    </div>
+                }
            </div>
            <div class="col-2">
                <h3>Access Intelligence</h3>
--- a/src/Admin/Controllers/ToolsController.cs
+++ b/src/Admin/Controllers/ToolsController.cs
@ -8,6 +8,7 @@ using Bit.Admin.Utilities;
 using Bit.Core.AdminConsole.Entities;
 using Bit.Core.AdminConsole.Repositories;
 using Bit.Core.Billing.Organizations.Queries;
+using Bit.Core.Billing.Services;
 using Bit.Core.Entities;
 using Bit.Core.Platform.Installations;
 using Bit.Core.Repositories;
--- a/src/Admin/Controllers/UsersController.cs
+++ b/src/Admin/Controllers/UsersController.cs
@ -5,6 +5,7 @@ using Bit.Admin.Models;
 using Bit.Admin.Services;
 using Bit.Admin.Utilities;
 using Bit.Core.Auth.UserFeatures.TwoFactorAuth.Interfaces;
+using Bit.Core.Billing.Services;
 using Bit.Core.Repositories;
 using Bit.Core.Services;
 using Bit.Core.Settings;
@ -20,7 +21,7 @@ public class UsersController : Controller
 {
    private readonly IUserRepository _userRepository;
    private readonly ICipherRepository _cipherRepository;
-    private readonly IPaymentService _paymentService;
+    private readonly IStripePaymentService _paymentService;
    private readonly GlobalSettings _globalSettings;
    private readonly IAccessControlService _accessControlService;
    private readonly ITwoFactorIsEnabledQuery _twoFactorIsEnabledQuery;
@ -30,7 +31,7 @@ public class UsersController : Controller
    public UsersController(
        IUserRepository userRepository,
        ICipherRepository cipherRepository,
-        IPaymentService paymentService,
+        IStripePaymentService paymentService,
        GlobalSettings globalSettings,
        IAccessControlService accessControlService,
        ITwoFactorIsEnabledQuery twoFactorIsEnabledQuery,
--- a/src/Admin/Dockerfile
+++ b/src/Admin/Dockerfile
@ -1,7 +1,7 @@
 ###############################################
 #           Node.js build stage               #
 ###############################################
-FROM node:20-alpine3.21 AS node-build
+FROM --platform=$BUILDPLATFORM node:20-alpine3.21 AS node-build

 WORKDIR /app
 COPY src/Admin/package*.json ./
--- a/src/Api/AdminConsole/Authorization/Requirements/MemberRequirement.cs
+++ b/src/Api/AdminConsole/Authorization/Requirements/MemberRequirement.cs
@ -0,0 +1,14 @@
+using Bit.Core.Context;
+
+namespace Bit.Api.AdminConsole.Authorization.Requirements;
+
+/// <summary>
+/// Requires that the user is a member of the organization.
+/// </summary>
+public class MemberRequirement : IOrganizationRequirement
+{
+    public Task<bool> AuthorizeAsync(
+        CurrentContextOrganization? organizationClaims,
+        Func<Task<bool>> isProviderUserForOrg)
+        => Task.FromResult(organizationClaims is not null);
+}
--- a/src/Api/AdminConsole/Controllers/OrganizationIntegrationConfigurationController.cs
+++ b/src/Api/AdminConsole/Controllers/OrganizationIntegrationConfigurationController.cs
@ -1,130 +0,0 @@
-using Bit.Api.AdminConsole.Models.Request.Organizations;
-using Bit.Api.AdminConsole.Models.Response.Organizations;
-using Bit.Core.Context;
-using Bit.Core.Exceptions;
-using Bit.Core.Repositories;
-using Microsoft.AspNetCore.Authorization;
-using Microsoft.AspNetCore.Mvc;
-
-namespace Bit.Api.AdminConsole.Controllers;
-
-[Route("organizations/{organizationId:guid}/integrations/{integrationId:guid}/configurations")]
-[Authorize("Application")]
-public class OrganizationIntegrationConfigurationController(
-    ICurrentContext currentContext,
-    IOrganizationIntegrationRepository integrationRepository,
-    IOrganizationIntegrationConfigurationRepository integrationConfigurationRepository) : Controller
-{
-    [HttpGet("")]
-    public async Task<List<OrganizationIntegrationConfigurationResponseModel>> GetAsync(
-        Guid organizationId,
-        Guid integrationId)
-    {
-        if (!await HasPermission(organizationId))
-        {
-            throw new NotFoundException();
-        }
-        var integration = await integrationRepository.GetByIdAsync(integrationId);
-        if (integration == null || integration.OrganizationId != organizationId)
-        {
-            throw new NotFoundException();
-        }
-
-        var configurations = await integrationConfigurationRepository.GetManyByIntegrationAsync(integrationId);
-        return configurations
-            .Select(configuration => new OrganizationIntegrationConfigurationResponseModel(configuration))
-            .ToList();
-    }
-
-    [HttpPost("")]
-    public async Task<OrganizationIntegrationConfigurationResponseModel> CreateAsync(
-        Guid organizationId,
-        Guid integrationId,
-        [FromBody] OrganizationIntegrationConfigurationRequestModel model)
-    {
-        if (!await HasPermission(organizationId))
-        {
-            throw new NotFoundException();
-        }
-        var integration = await integrationRepository.GetByIdAsync(integrationId);
-        if (integration == null || integration.OrganizationId != organizationId)
-        {
-            throw new NotFoundException();
-        }
-        if (!model.IsValidForType(integration.Type))
-        {
-            throw new BadRequestException($"Invalid Configuration and/or Template for integration type {integration.Type}");
-        }
-
-        var organizationIntegrationConfiguration = model.ToOrganizationIntegrationConfiguration(integrationId);
-        var configuration = await integrationConfigurationRepository.CreateAsync(organizationIntegrationConfiguration);
-        return new OrganizationIntegrationConfigurationResponseModel(configuration);
-    }
-
-    [HttpPut("{configurationId:guid}")]
-    public async Task<OrganizationIntegrationConfigurationResponseModel> UpdateAsync(
-        Guid organizationId,
-        Guid integrationId,
-        Guid configurationId,
-        [FromBody] OrganizationIntegrationConfigurationRequestModel model)
-    {
-        if (!await HasPermission(organizationId))
-        {
-            throw new NotFoundException();
-        }
-        var integration = await integrationRepository.GetByIdAsync(integrationId);
-        if (integration == null || integration.OrganizationId != organizationId)
-        {
-            throw new NotFoundException();
-        }
-        if (!model.IsValidForType(integration.Type))
-        {
-            throw new BadRequestException($"Invalid Configuration and/or Template for integration type {integration.Type}");
-        }
-
-        var configuration = await integrationConfigurationRepository.GetByIdAsync(configurationId);
-        if (configuration is null || configuration.OrganizationIntegrationId != integrationId)
-        {
-            throw new NotFoundException();
-        }
-
-        var newConfiguration = model.ToOrganizationIntegrationConfiguration(configuration);
-        await integrationConfigurationRepository.ReplaceAsync(newConfiguration);
-
-        return new OrganizationIntegrationConfigurationResponseModel(newConfiguration);
-    }
-
-    [HttpDelete("{configurationId:guid}")]
-    public async Task DeleteAsync(Guid organizationId, Guid integrationId, Guid configurationId)
-    {
-        if (!await HasPermission(organizationId))
-        {
-            throw new NotFoundException();
-        }
-        var integration = await integrationRepository.GetByIdAsync(integrationId);
-        if (integration == null || integration.OrganizationId != organizationId)
-        {
-            throw new NotFoundException();
-        }
-
-        var configuration = await integrationConfigurationRepository.GetByIdAsync(configurationId);
-        if (configuration is null || configuration.OrganizationIntegrationId != integrationId)
-        {
-            throw new NotFoundException();
-        }
-
-        await integrationConfigurationRepository.DeleteAsync(configuration);
-    }
-
-    [HttpPost("{configurationId:guid}/delete")]
-    [Obsolete("This endpoint is deprecated. Use DELETE method instead")]
-    public async Task PostDeleteAsync(Guid organizationId, Guid integrationId, Guid configurationId)
-    {
-        await DeleteAsync(organizationId, integrationId, configurationId);
-    }
-
-    private async Task<bool> HasPermission(Guid organizationId)
-    {
-        return await currentContext.OrganizationOwner(organizationId);
-    }
-}
--- a/src/Api/AdminConsole/Controllers/OrganizationUsersController.cs
+++ b/src/Api/AdminConsole/Controllers/OrganizationUsersController.cs
@ -19,6 +19,7 @@ using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.DeleteClaimed
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Interfaces;
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers;
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.RestoreUser.v1;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.SelfRevokeUser;
 using Bit.Core.AdminConsole.OrganizationFeatures.Policies;
 using Bit.Core.AdminConsole.OrganizationFeatures.Policies.PolicyRequirements;
 using Bit.Core.AdminConsole.Repositories;
@ -41,6 +42,8 @@ using Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Interfaces;
 using Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Requests;
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Mvc;
+using V1_RevokeOrganizationUserCommand = Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.RevokeUser.v1.IRevokeOrganizationUserCommand;
+using V2_RevokeOrganizationUserCommand = Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.RevokeUser.v2;

 namespace Bit.Api.AdminConsole.Controllers;

@ -71,12 +74,15 @@ public class OrganizationUsersController : BaseAdminConsoleController
    private readonly IFeatureService _featureService;
    private readonly IPricingClient _pricingClient;
    private readonly IResendOrganizationInviteCommand _resendOrganizationInviteCommand;
+    private readonly IBulkResendOrganizationInvitesCommand _bulkResendOrganizationInvitesCommand;
    private readonly IAutomaticallyConfirmOrganizationUserCommand _automaticallyConfirmOrganizationUserCommand;
+    private readonly V2_RevokeOrganizationUserCommand.IRevokeOrganizationUserCommand _revokeOrganizationUserCommandVNext;
    private readonly IConfirmOrganizationUserCommand _confirmOrganizationUserCommand;
    private readonly IRestoreOrganizationUserCommand _restoreOrganizationUserCommand;
    private readonly IInitPendingOrganizationCommand _initPendingOrganizationCommand;
-    private readonly IRevokeOrganizationUserCommand _revokeOrganizationUserCommand;
+    private readonly V1_RevokeOrganizationUserCommand _revokeOrganizationUserCommand;
    private readonly IAdminRecoverAccountCommand _adminRecoverAccountCommand;
+    private readonly ISelfRevokeOrganizationUserCommand _selfRevokeOrganizationUserCommand;

    public OrganizationUsersController(IOrganizationRepository organizationRepository,
        IOrganizationUserRepository organizationUserRepository,
@ -103,10 +109,13 @@ public class OrganizationUsersController : BaseAdminConsoleController
        IConfirmOrganizationUserCommand confirmOrganizationUserCommand,
        IRestoreOrganizationUserCommand restoreOrganizationUserCommand,
        IInitPendingOrganizationCommand initPendingOrganizationCommand,
-        IRevokeOrganizationUserCommand revokeOrganizationUserCommand,
+        V1_RevokeOrganizationUserCommand revokeOrganizationUserCommand,
        IResendOrganizationInviteCommand resendOrganizationInviteCommand,
+        IBulkResendOrganizationInvitesCommand bulkResendOrganizationInvitesCommand,
        IAdminRecoverAccountCommand adminRecoverAccountCommand,
-        IAutomaticallyConfirmOrganizationUserCommand automaticallyConfirmOrganizationUserCommand)
+        IAutomaticallyConfirmOrganizationUserCommand automaticallyConfirmOrganizationUserCommand,
+        V2_RevokeOrganizationUserCommand.IRevokeOrganizationUserCommand revokeOrganizationUserCommandVNext,
+        ISelfRevokeOrganizationUserCommand selfRevokeOrganizationUserCommand)
    {
        _organizationRepository = organizationRepository;
        _organizationUserRepository = organizationUserRepository;
@ -131,12 +140,15 @@ public class OrganizationUsersController : BaseAdminConsoleController
        _featureService = featureService;
        _pricingClient = pricingClient;
        _resendOrganizationInviteCommand = resendOrganizationInviteCommand;
+        _bulkResendOrganizationInvitesCommand = bulkResendOrganizationInvitesCommand;
        _automaticallyConfirmOrganizationUserCommand = automaticallyConfirmOrganizationUserCommand;
+        _revokeOrganizationUserCommandVNext = revokeOrganizationUserCommandVNext;
        _confirmOrganizationUserCommand = confirmOrganizationUserCommand;
        _restoreOrganizationUserCommand = restoreOrganizationUserCommand;
        _initPendingOrganizationCommand = initPendingOrganizationCommand;
        _revokeOrganizationUserCommand = revokeOrganizationUserCommand;
        _adminRecoverAccountCommand = adminRecoverAccountCommand;
+        _selfRevokeOrganizationUserCommand = selfRevokeOrganizationUserCommand;
    }

    [HttpGet("{id}")]
@ -273,7 +285,17 @@ public class OrganizationUsersController : BaseAdminConsoleController
    public async Task<ListResponseModel<OrganizationUserBulkResponseModel>> BulkReinvite(Guid orgId, [FromBody] OrganizationUserBulkRequestModel model)
    {
        var userId = _userService.GetProperUserId(User);
-        var result = await _organizationService.ResendInvitesAsync(orgId, userId.Value, model.Ids);
+
+        IEnumerable<Tuple<Core.Entities.OrganizationUser, string>> result;
+        if (_featureService.IsEnabled(FeatureFlagKeys.IncreaseBulkReinviteLimitForCloud))
+        {
+            result = await _bulkResendOrganizationInvitesCommand.BulkResendInvitesAsync(orgId, userId.Value, model.Ids);
+        }
+        else
+        {
+            result = await _organizationService.ResendInvitesAsync(orgId, userId.Value, model.Ids);
+        }
+
        return new ListResponseModel<OrganizationUserBulkResponseModel>(
            result.Select(t => new OrganizationUserBulkResponseModel(t.Item1.Id, t.Item2)));
    }
@ -483,43 +505,10 @@ public class OrganizationUsersController : BaseAdminConsoleController
        }
    }

+#nullable enable
    [HttpPut("{id}/reset-password")]
    [Authorize<ManageAccountRecoveryRequirement>]
    public async Task<IResult> PutResetPassword(Guid orgId, Guid id, [FromBody] OrganizationUserResetPasswordRequestModel model)
-    {
-        if (_featureService.IsEnabled(FeatureFlagKeys.AccountRecoveryCommand))
-        {
-            // TODO: remove legacy implementation after feature flag is enabled.
-            return await PutResetPasswordNew(orgId, id, model);
-        }
-
-        // Get the users role, since provider users aren't a member of the organization we use the owner check
-        var orgUserType = await _currentContext.OrganizationOwner(orgId)
-            ? OrganizationUserType.Owner
-            : _currentContext.Organizations?.FirstOrDefault(o => o.Id == orgId)?.Type;
-        if (orgUserType == null)
-        {
-            return TypedResults.NotFound();
-        }
-
-        var result = await _userService.AdminResetPasswordAsync(orgUserType.Value, orgId, id, model.NewMasterPasswordHash, model.Key);
-        if (result.Succeeded)
-        {
-            return TypedResults.Ok();
-        }
-
-        foreach (var error in result.Errors)
-        {
-            ModelState.AddModelError(string.Empty, error.Description);
-        }
-
-        await Task.Delay(2000);
-        return TypedResults.BadRequest(ModelState);
-    }
-
-#nullable enable
-    // TODO: make sure the route and authorize attributes are maintained when the legacy implementation is removed.
-    private async Task<IResult> PutResetPasswordNew(Guid orgId, Guid id, [FromBody] OrganizationUserResetPasswordRequestModel model)
    {
        var targetOrganizationUser = await _organizationUserRepository.GetByIdAsync(id);
        if (targetOrganizationUser == null || targetOrganizationUser.OrganizationId != orgId)
@ -650,6 +639,20 @@ public class OrganizationUsersController : BaseAdminConsoleController
        await RestoreOrRevokeUserAsync(orgId, id, _revokeOrganizationUserCommand.RevokeUserAsync);
    }

+    [HttpPut("revoke-self")]
+    [Authorize<MemberRequirement>]
+    public async Task<IResult> RevokeSelfAsync(Guid orgId)
+    {
+        var userId = _userService.GetProperUserId(User);
+        if (!userId.HasValue)
+        {
+            throw new UnauthorizedAccessException();
+        }
+
+        var result = await _selfRevokeOrganizationUserCommand.SelfRevokeUserAsync(orgId, userId.Value);
+        return Handle(result);
+    }
+
    [HttpPatch("{id}/revoke")]
    [Obsolete("This endpoint is deprecated. Use PUT method instead")]
    [Authorize<ManageUsersRequirement>]
@ -662,7 +665,29 @@ public class OrganizationUsersController : BaseAdminConsoleController
    [Authorize<ManageUsersRequirement>]
    public async Task<ListResponseModel<OrganizationUserBulkResponseModel>> BulkRevokeAsync(Guid orgId, [FromBody] OrganizationUserBulkRequestModel model)
    {
-        return await RestoreOrRevokeUsersAsync(orgId, model, _revokeOrganizationUserCommand.RevokeUsersAsync);
+        if (!_featureService.IsEnabled(FeatureFlagKeys.BulkRevokeUsersV2))
+        {
+            return await RestoreOrRevokeUsersAsync(orgId, model, _revokeOrganizationUserCommand.RevokeUsersAsync);
+        }
+
+        var currentUserId = _userService.GetProperUserId(User);
+        if (currentUserId == null)
+        {
+            throw new UnauthorizedAccessException();
+        }
+
+        var results = await _revokeOrganizationUserCommandVNext.RevokeUsersAsync(
+            new V2_RevokeOrganizationUserCommand.RevokeOrganizationUsersRequest(
+                orgId,
+                model.Ids.ToArray(),
+                new StandardUser(currentUserId.Value, await _currentContext.OrganizationOwner(orgId))));
+
+        return new ListResponseModel<OrganizationUserBulkResponseModel>(results
+            .Select(result => new OrganizationUserBulkResponseModel(result.Id,
+                result.Result.Match(
+                    error => error.Message,
+                    _ => string.Empty
+                ))));
    }

    [HttpPatch("revoke")]
--- a/src/Api/AdminConsole/Controllers/PoliciesController.cs
+++ b/src/Api/AdminConsole/Controllers/PoliciesController.cs
@ -7,7 +7,6 @@ using Bit.Api.AdminConsole.Models.Request;
 using Bit.Api.AdminConsole.Models.Response.Helpers;
 using Bit.Api.AdminConsole.Models.Response.Organizations;
 using Bit.Api.Models.Response;
-using Bit.Core;
 using Bit.Core.AdminConsole.Entities;
 using Bit.Core.AdminConsole.Enums;
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationDomains.Interfaces;
@ -42,7 +41,6 @@ public class PoliciesController : Controller
    private readonly IDataProtectorTokenFactory<OrgUserInviteTokenable> _orgUserInviteTokenDataFactory;
    private readonly IPolicyRepository _policyRepository;
    private readonly IUserService _userService;
-    private readonly IFeatureService _featureService;
    private readonly ISavePolicyCommand _savePolicyCommand;
    private readonly IVNextSavePolicyCommand _vNextSavePolicyCommand;

@ -55,7 +53,6 @@ public class PoliciesController : Controller
        IDataProtectorTokenFactory<OrgUserInviteTokenable> orgUserInviteTokenDataFactory,
        IOrganizationHasVerifiedDomainsQuery organizationHasVerifiedDomainsQuery,
        IOrganizationRepository organizationRepository,
-        IFeatureService featureService,
        ISavePolicyCommand savePolicyCommand,
        IVNextSavePolicyCommand vNextSavePolicyCommand)
    {
@ -69,7 +66,6 @@ public class PoliciesController : Controller
        _organizationRepository = organizationRepository;
        _orgUserInviteTokenDataFactory = orgUserInviteTokenDataFactory;
        _organizationHasVerifiedDomainsQuery = organizationHasVerifiedDomainsQuery;
-        _featureService = featureService;
        _savePolicyCommand = savePolicyCommand;
        _vNextSavePolicyCommand = vNextSavePolicyCommand;
    }
@ -215,15 +211,12 @@ public class PoliciesController : Controller
    }

    [HttpPut("{type}/vnext")]
-    [RequireFeatureAttribute(FeatureFlagKeys.CreateDefaultLocation)]
    [Authorize<ManagePoliciesRequirement>]
    public async Task<PolicyResponseModel> PutVNext(Guid orgId, PolicyType type, [FromBody] SavePolicyRequest model)
    {
        var savePolicyRequest = await model.ToSavePolicyModelAsync(orgId, type, _currentContext);

-        var policy = _featureService.IsEnabled(FeatureFlagKeys.PolicyValidatorsRefactor) ?
-            await _vNextSavePolicyCommand.SaveAsync(savePolicyRequest) :
-            await _savePolicyCommand.VNextSaveAsync(savePolicyRequest);
+        var policy = await _vNextSavePolicyCommand.SaveAsync(savePolicyRequest);

        return new PolicyResponseModel(policy);
    }
--- a/src/Api/AdminConsole/Controllers/ProviderClientsController.cs
+++ b/src/Api/AdminConsole/Controllers/ProviderClientsController.cs
@ -57,8 +57,7 @@ public class ProviderClientsController(
            Owner = user,
            BillingEmail = provider.BillingEmail,
            OwnerKey = requestBody.Key,
-            PublicKey = requestBody.KeyPair.PublicKey,
-            PrivateKey = requestBody.KeyPair.EncryptedPrivateKey,
+            Keys = requestBody.KeyPair.ToPublicKeyEncryptionKeyPairData(),
            CollectionName = requestBody.CollectionName,
            IsFromProvider = true
        };
--- a/src/Api/AdminConsole/Controllers/ProvidersController.cs
+++ b/src/Api/AdminConsole/Controllers/ProvidersController.cs
@ -5,6 +5,7 @@ using Bit.Api.AdminConsole.Models.Request.Providers;
 using Bit.Api.AdminConsole.Models.Response.Providers;
 using Bit.Core.AdminConsole.Repositories;
 using Bit.Core.AdminConsole.Services;
+using Bit.Core.Billing.Providers.Services;
 using Bit.Core.Context;
 using Bit.Core.Exceptions;
 using Bit.Core.Services;
@ -23,15 +24,20 @@ public class ProvidersController : Controller
    private readonly IProviderService _providerService;
    private readonly ICurrentContext _currentContext;
    private readonly GlobalSettings _globalSettings;
+    private readonly IProviderBillingService _providerBillingService;
+    private readonly ILogger<ProvidersController> _logger;

    public ProvidersController(IUserService userService, IProviderRepository providerRepository,
-        IProviderService providerService, ICurrentContext currentContext, GlobalSettings globalSettings)
+        IProviderService providerService, ICurrentContext currentContext, GlobalSettings globalSettings,
+        IProviderBillingService providerBillingService, ILogger<ProvidersController> logger)
    {
        _userService = userService;
        _providerRepository = providerRepository;
        _providerService = providerService;
        _currentContext = currentContext;
        _globalSettings = globalSettings;
+        _providerBillingService = providerBillingService;
+        _logger = logger;
    }

    [HttpGet("{id:guid}")]
@ -65,7 +71,27 @@ public class ProvidersController : Controller
            throw new NotFoundException();
        }

+        // Capture original values before modifications for Stripe sync
+        var originalName = provider.Name;
+        var originalBillingEmail = provider.BillingEmail;
+
        await _providerService.UpdateAsync(model.ToProvider(provider, _globalSettings));
+
+        // Sync name/email changes to Stripe
+        if (originalName != provider.Name || originalBillingEmail != provider.BillingEmail)
+        {
+            try
+            {
+                await _providerBillingService.UpdateProviderNameAndEmail(provider);
+            }
+            catch (Exception ex)
+            {
+                _logger.LogError(ex,
+                    "Failed to update Stripe customer for provider {ProviderId}. Database was updated successfully.",
+                    provider.Id);
+            }
+        }
+
        return new ProviderResponseModel(provider);
    }

--- a/src/Api/AdminConsole/Models/Request/Organizations/OrganizationCreateRequestModel.cs
+++ b/src/Api/AdminConsole/Models/Request/Organizations/OrganizationCreateRequestModel.cs
@ -113,11 +113,10 @@ public class OrganizationCreateRequestModel : IValidatableObject
                BillingAddressCountry = BillingAddressCountry,
            },
            InitiationPath = InitiationPath,
-            SkipTrial = SkipTrial
+            SkipTrial = SkipTrial,
+            Keys = Keys?.ToPublicKeyEncryptionKeyPairData()
        };

-        Keys?.ToOrganizationSignup(orgSignup);
-
        return orgSignup;
    }

--- a/src/Api/AdminConsole/Models/Request/Organizations/OrganizationIntegrationConfigurationRequestModel.cs
+++ b/src/Api/AdminConsole/Models/Request/Organizations/OrganizationIntegrationConfigurationRequestModel.cs
@ -1,108 +0,0 @@
-using System.Text.Json;
-using Bit.Core.AdminConsole.Entities;
-using Bit.Core.AdminConsole.Models.Data.EventIntegrations;
-using Bit.Core.Enums;
-
-
-namespace Bit.Api.AdminConsole.Models.Request.Organizations;
-
-public class OrganizationIntegrationConfigurationRequestModel
-{
-    public string? Configuration { get; set; }
-
-    public EventType? EventType { get; set; }
-
-    public string? Filters { get; set; }
-
-    public string? Template { get; set; }
-
-    public bool IsValidForType(IntegrationType integrationType)
-    {
-        switch (integrationType)
-        {
-            case IntegrationType.CloudBillingSync or IntegrationType.Scim:
-                return false;
-            case IntegrationType.Slack:
-                return !string.IsNullOrWhiteSpace(Template) &&
-                       IsConfigurationValid<SlackIntegrationConfiguration>() &&
-                       IsFiltersValid();
-            case IntegrationType.Webhook:
-                return !string.IsNullOrWhiteSpace(Template) &&
-                       IsConfigurationValid<WebhookIntegrationConfiguration>() &&
-                       IsFiltersValid();
-            case IntegrationType.Hec:
-                return !string.IsNullOrWhiteSpace(Template) &&
-                       Configuration is null &&
-                       IsFiltersValid();
-            case IntegrationType.Datadog:
-                return !string.IsNullOrWhiteSpace(Template) &&
-                       Configuration is null &&
-                       IsFiltersValid();
-            case IntegrationType.Teams:
-                return !string.IsNullOrWhiteSpace(Template) &&
-                       Configuration is null &&
-                       IsFiltersValid();
-            default:
-                return false;
-
-        }
-    }
-
-    public OrganizationIntegrationConfiguration ToOrganizationIntegrationConfiguration(Guid organizationIntegrationId)
-    {
-        return new OrganizationIntegrationConfiguration()
-        {
-            OrganizationIntegrationId = organizationIntegrationId,
-            Configuration = Configuration,
-            Filters = Filters,
-            EventType = EventType,
-            Template = Template
-        };
-    }
-
-    public OrganizationIntegrationConfiguration ToOrganizationIntegrationConfiguration(OrganizationIntegrationConfiguration currentConfiguration)
-    {
-        currentConfiguration.Configuration = Configuration;
-        currentConfiguration.EventType = EventType;
-        currentConfiguration.Filters = Filters;
-        currentConfiguration.Template = Template;
-
-        return currentConfiguration;
-    }
-
-    private bool IsConfigurationValid<T>()
-    {
-        if (string.IsNullOrWhiteSpace(Configuration))
-        {
-            return false;
-        }
-
-        try
-        {
-            var config = JsonSerializer.Deserialize<T>(Configuration);
-            return config is not null;
-        }
-        catch
-        {
-            return false;
-        }
-    }
-
-    private bool IsFiltersValid()
-    {
-        if (Filters is null)
-        {
-            return true;
-        }
-
-        try
-        {
-            var filters = JsonSerializer.Deserialize<IntegrationFilterGroup>(Filters);
-            return filters is not null;
-        }
-        catch
-        {
-            return false;
-        }
-    }
-}
--- a/src/Api/AdminConsole/Models/Request/Organizations/OrganizationKeysRequestModel.cs
+++ b/src/Api/AdminConsole/Models/Request/Organizations/OrganizationKeysRequestModel.cs
@ -2,8 +2,7 @@
 #nullable disable

 using System.ComponentModel.DataAnnotations;
-using Bit.Core.AdminConsole.Entities;
-using Bit.Core.Models.Business;
+using Bit.Core.KeyManagement.Models.Data;

 namespace Bit.Api.AdminConsole.Models.Request.Organizations;

@ -14,48 +13,10 @@ public class OrganizationKeysRequestModel
    [Required]
    public string EncryptedPrivateKey { get; set; }

-    public OrganizationSignup ToOrganizationSignup(OrganizationSignup existingSignup)
+    public PublicKeyEncryptionKeyPairData ToPublicKeyEncryptionKeyPairData()
    {
-        if (string.IsNullOrWhiteSpace(existingSignup.PublicKey))
-        {
-            existingSignup.PublicKey = PublicKey;
-        }
-
-        if (string.IsNullOrWhiteSpace(existingSignup.PrivateKey))
-        {
-            existingSignup.PrivateKey = EncryptedPrivateKey;
-        }
-
-        return existingSignup;
-    }
-
-    public OrganizationUpgrade ToOrganizationUpgrade(OrganizationUpgrade existingUpgrade)
-    {
-        if (string.IsNullOrWhiteSpace(existingUpgrade.PublicKey))
-        {
-            existingUpgrade.PublicKey = PublicKey;
-        }
-
-        if (string.IsNullOrWhiteSpace(existingUpgrade.PrivateKey))
-        {
-            existingUpgrade.PrivateKey = EncryptedPrivateKey;
-        }
-
-        return existingUpgrade;
-    }
-
-    public Organization ToOrganization(Organization existingOrg)
-    {
-        if (string.IsNullOrWhiteSpace(existingOrg.PublicKey))
-        {
-            existingOrg.PublicKey = PublicKey;
-        }
-
-        if (string.IsNullOrWhiteSpace(existingOrg.PrivateKey))
-        {
-            existingOrg.PrivateKey = EncryptedPrivateKey;
-        }
-
-        return existingOrg;
+        return new PublicKeyEncryptionKeyPairData(
+            wrappedPrivateKey: EncryptedPrivateKey,
+            publicKey: PublicKey);
    }
 }
--- a/src/Api/AdminConsole/Models/Request/Organizations/OrganizationNoPaymentCreateRequest.cs
+++ b/src/Api/AdminConsole/Models/Request/Organizations/OrganizationNoPaymentCreateRequest.cs
@ -110,10 +110,9 @@ public class OrganizationNoPaymentCreateRequest
                BillingAddressCountry = BillingAddressCountry,
            },
            InitiationPath = InitiationPath,
+            Keys = Keys?.ToPublicKeyEncryptionKeyPairData()
        };

-        Keys?.ToOrganizationSignup(orgSignup);
-
        return orgSignup;
    }
 }
--- a/src/Api/AdminConsole/Models/Request/Organizations/OrganizationUpdateRequestModel.cs
+++ b/src/Api/AdminConsole/Models/Request/Organizations/OrganizationUpdateRequestModel.cs
@ -22,7 +22,6 @@ public class OrganizationUpdateRequestModel
        OrganizationId = organizationId,
        Name = Name,
        BillingEmail = BillingEmail,
-        PublicKey = Keys?.PublicKey,
-        EncryptedPrivateKey = Keys?.EncryptedPrivateKey
+        Keys = Keys?.ToPublicKeyEncryptionKeyPairData()
    };
 }
--- a/src/Api/AdminConsole/Models/Request/Organizations/OrganizationUpgradeRequestModel.cs
+++ b/src/Api/AdminConsole/Models/Request/Organizations/OrganizationUpgradeRequestModel.cs
@ -43,11 +43,10 @@ public class OrganizationUpgradeRequestModel
            {
                BillingAddressCountry = BillingAddressCountry,
                BillingAddressPostalCode = BillingAddressPostalCode
-            }
+            },
+            Keys = Keys?.ToPublicKeyEncryptionKeyPairData()
        };

-        Keys?.ToOrganizationUpgrade(orgUpgrade);
-
        return orgUpgrade;
    }
 }
--- a/src/Api/AdminConsole/Models/Request/Organizations/OrganizationUserRequestModels.cs
+++ b/src/Api/AdminConsole/Models/Request/Organizations/OrganizationUserRequestModels.cs
@ -119,7 +119,7 @@ public class OrganizationUserResetPasswordEnrollmentRequestModel

 public class OrganizationUserBulkRequestModel
 {
-    [Required]
+    [Required, MinLength(1)]
    public IEnumerable<Guid> Ids { get; set; }
 }

--- a/src/Api/AdminConsole/Models/Response/BaseProfileOrganizationResponseModel.cs
+++ b/src/Api/AdminConsole/Models/Response/BaseProfileOrganizationResponseModel.cs
@ -47,6 +47,8 @@ public abstract class BaseProfileOrganizationResponseModel : ResponseModel
        UseAdminSponsoredFamilies = organizationDetails.UseAdminSponsoredFamilies;
        UseAutomaticUserConfirmation = organizationDetails.UseAutomaticUserConfirmation;
        UseSecretsManager = organizationDetails.UseSecretsManager;
+        UsePhishingBlocker = organizationDetails.UsePhishingBlocker;
+        UseDisableSMAdsForUsers = organizationDetails.UseDisableSMAdsForUsers;
        UsePasswordManager = organizationDetails.UsePasswordManager;
        SelfHost = organizationDetails.SelfHost;
        Seats = organizationDetails.Seats;
@ -99,6 +101,8 @@ public abstract class BaseProfileOrganizationResponseModel : ResponseModel
    public bool UseOrganizationDomains { get; set; }
    public bool UseAdminSponsoredFamilies { get; set; }
    public bool UseAutomaticUserConfirmation { get; set; }
+    public bool UseDisableSMAdsForUsers { get; set; }
+    public bool UsePhishingBlocker { get; set; }
    public bool SelfHost { get; set; }
    public int? Seats { get; set; }
    public short? MaxCollections { get; set; }
--- a/src/Api/AdminConsole/Models/Response/Organizations/OrganizationResponseModel.cs
+++ b/src/Api/AdminConsole/Models/Response/Organizations/OrganizationResponseModel.cs
@ -1,10 +1,13 @@
 // FIXME: Update this file to be null safe and then delete the line below
 #nullable disable

+using System.Security.Claims;
 using System.Text.Json.Serialization;
 using Bit.Api.Models.Response;
 using Bit.Core.AdminConsole.Entities;
 using Bit.Core.Billing.Enums;
+using Bit.Core.Billing.Licenses;
+using Bit.Core.Billing.Licenses.Extensions;
 using Bit.Core.Billing.Organizations.Models;
 using Bit.Core.Models.Api;
 using Bit.Core.Models.Business;
@ -71,6 +74,8 @@ public class OrganizationResponseModel : ResponseModel
        UseOrganizationDomains = organization.UseOrganizationDomains;
        UseAdminSponsoredFamilies = organization.UseAdminSponsoredFamilies;
        UseAutomaticUserConfirmation = organization.UseAutomaticUserConfirmation;
+        UseDisableSmAdsForUsers = organization.UseDisableSmAdsForUsers;
+        UsePhishingBlocker = organization.UsePhishingBlocker;
    }

    public Guid Id { get; set; }
@ -120,6 +125,8 @@ public class OrganizationResponseModel : ResponseModel
    public bool UseOrganizationDomains { get; set; }
    public bool UseAdminSponsoredFamilies { get; set; }
    public bool UseAutomaticUserConfirmation { get; set; }
+    public bool UseDisableSmAdsForUsers { get; set; }
+    public bool UsePhishingBlocker { get; set; }
 }

 public class OrganizationSubscriptionResponseModel : OrganizationResponseModel
@ -175,6 +182,30 @@ public class OrganizationSubscriptionResponseModel : OrganizationResponseModel
        }
    }

+    public OrganizationSubscriptionResponseModel(Organization organization, OrganizationLicense license, ClaimsPrincipal claimsPrincipal) :
+        this(organization, (Plan)null)
+    {
+        if (license != null)
+        {
+            // CRITICAL: When a license has a Token (JWT), ALWAYS use the expiration from the token claim
+            // The token's expiration is cryptographically secured and cannot be tampered with
+            // The file's Expires property can be manually edited and should NOT be trusted for display
+            if (claimsPrincipal != null)
+            {
+                Expiration = claimsPrincipal.GetValue<DateTime>(OrganizationLicenseConstants.Expires);
+                ExpirationWithoutGracePeriod = claimsPrincipal.GetValue<DateTime?>(OrganizationLicenseConstants.ExpirationWithoutGracePeriod);
+            }
+            else
+            {
+                // No token - use the license file expiration (for older licenses without tokens)
+                Expiration = license.Expires;
+                ExpirationWithoutGracePeriod = license.ExpirationWithoutGracePeriod ?? (license.Trial
+                    ? license.Expires
+                    : license.Expires?.AddDays(-Constants.OrganizationSelfHostSubscriptionGracePeriodDays));
+            }
+        }
+    }
+
    public string StorageName { get; set; }
    public double? StorageGb { get; set; }
    public BillingCustomerDiscount CustomerDiscount { get; set; }
--- a/src/Api/AdminConsole/Public/Controllers/MembersController.cs
+++ b/src/Api/AdminConsole/Public/Controllers/MembersController.cs
@ -6,6 +6,7 @@ using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Interfaces;
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers;
 using Bit.Core.AdminConsole.Repositories;
 using Bit.Core.Auth.UserFeatures.TwoFactorAuth.Interfaces;
+using Bit.Core.Billing.Services;
 using Bit.Core.Context;
 using Bit.Core.Repositories;
 using Bit.Core.Services;
@ -24,7 +25,7 @@ public class MembersController : Controller
    private readonly ICurrentContext _currentContext;
    private readonly IUpdateOrganizationUserCommand _updateOrganizationUserCommand;
    private readonly IUpdateOrganizationUserGroupsCommand _updateOrganizationUserGroupsCommand;
-    private readonly IPaymentService _paymentService;
+    private readonly IStripePaymentService _paymentService;
    private readonly IOrganizationRepository _organizationRepository;
    private readonly ITwoFactorIsEnabledQuery _twoFactorIsEnabledQuery;
    private readonly IRemoveOrganizationUserCommand _removeOrganizationUserCommand;
@ -37,7 +38,7 @@ public class MembersController : Controller
        ICurrentContext currentContext,
        IUpdateOrganizationUserCommand updateOrganizationUserCommand,
        IUpdateOrganizationUserGroupsCommand updateOrganizationUserGroupsCommand,
-        IPaymentService paymentService,
+        IStripePaymentService paymentService,
        IOrganizationRepository organizationRepository,
        ITwoFactorIsEnabledQuery twoFactorIsEnabledQuery,
        IRemoveOrganizationUserCommand removeOrganizationUserCommand,
--- a/src/Api/AdminConsole/Public/Controllers/PoliciesController.cs
+++ b/src/Api/AdminConsole/Public/Controllers/PoliciesController.cs
@ -5,15 +5,10 @@ using System.Net;
 using Bit.Api.AdminConsole.Public.Models.Request;
 using Bit.Api.AdminConsole.Public.Models.Response;
 using Bit.Api.Models.Public.Response;
-using Bit.Core;
-using Bit.Core.AdminConsole.Entities;
 using Bit.Core.AdminConsole.Enums;
-using Bit.Core.AdminConsole.OrganizationFeatures.Policies;
 using Bit.Core.AdminConsole.OrganizationFeatures.Policies.PolicyUpdateEvents.Interfaces;
 using Bit.Core.AdminConsole.Repositories;
-using Bit.Core.AdminConsole.Services;
 using Bit.Core.Context;
-using Bit.Core.Services;
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Mvc;

@ -24,25 +19,16 @@ namespace Bit.Api.AdminConsole.Public.Controllers;
 public class PoliciesController : Controller
 {
    private readonly IPolicyRepository _policyRepository;
-    private readonly IPolicyService _policyService;
    private readonly ICurrentContext _currentContext;
-    private readonly IFeatureService _featureService;
-    private readonly ISavePolicyCommand _savePolicyCommand;
    private readonly IVNextSavePolicyCommand _vNextSavePolicyCommand;

    public PoliciesController(
        IPolicyRepository policyRepository,
-        IPolicyService policyService,
        ICurrentContext currentContext,
-        IFeatureService featureService,
-        ISavePolicyCommand savePolicyCommand,
        IVNextSavePolicyCommand vNextSavePolicyCommand)
    {
        _policyRepository = policyRepository;
-        _policyService = policyService;
        _currentContext = currentContext;
-        _featureService = featureService;
-        _savePolicyCommand = savePolicyCommand;
        _vNextSavePolicyCommand = vNextSavePolicyCommand;
    }

@ -97,17 +83,8 @@ public class PoliciesController : Controller
    [ProducesResponseType((int)HttpStatusCode.NotFound)]
    public async Task<IActionResult> Put(PolicyType type, [FromBody] PolicyUpdateRequestModel model)
    {
-        Policy policy;
-        if (_featureService.IsEnabled(FeatureFlagKeys.PolicyValidatorsRefactor))
-        {
-            var savePolicyModel = model.ToSavePolicyModel(_currentContext.OrganizationId!.Value, type);
-            policy = await _vNextSavePolicyCommand.SaveAsync(savePolicyModel);
-        }
-        else
-        {
-            var policyUpdate = model.ToPolicyUpdate(_currentContext.OrganizationId!.Value, type);
-            policy = await _savePolicyCommand.SaveAsync(policyUpdate);
-        }
+        var savePolicyModel = model.ToSavePolicyModel(_currentContext.OrganizationId!.Value, type);
+        var policy = await _vNextSavePolicyCommand.SaveAsync(savePolicyModel);

        var response = new PolicyResponseModel(policy);
        return new JsonResult(response);
--- a/src/Api/AdminConsole/Public/Models/Response/GroupResponseModel.cs
+++ b/src/Api/AdminConsole/Public/Models/Response/GroupResponseModel.cs
@ -2,6 +2,7 @@
 #nullable disable

 using System.ComponentModel.DataAnnotations;
+using System.Text.Json.Serialization;
 using Bit.Api.Models.Public.Response;
 using Bit.Core.AdminConsole.Entities;
 using Bit.Core.Models.Data;
@ -13,6 +14,12 @@ namespace Bit.Api.AdminConsole.Public.Models.Response;
 /// </summary>
 public class GroupResponseModel : GroupBaseModel, IResponseModel
 {
+    [JsonConstructor]
+    public GroupResponseModel()
+    {
+
+    }
+
    public GroupResponseModel(Group group, IEnumerable<CollectionAccessSelection> collections)
    {
        if (group == null)
--- a/src/Api/Api.csproj
+++ b/src/Api/Api.csproj
@ -33,7 +33,7 @@
  <ItemGroup>
    <PackageReference Include="AspNetCore.HealthChecks.SqlServer" Version="8.0.2" />
    <PackageReference Include="AspNetCore.HealthChecks.Uris" Version="8.0.1" />
-    <PackageReference Include="Azure.Messaging.EventGrid" Version="4.31.0" />
+    <PackageReference Include="Azure.Messaging.EventGrid" Version="5.0.0" />
    <PackageReference Include="Swashbuckle.AspNetCore" Version="9.0.4" />
  </ItemGroup>

--- a/src/Api/Auth/Controllers/AccountsController.cs
+++ b/src/Api/Auth/Controllers/AccountsController.cs
@ -18,6 +18,7 @@ using Bit.Core.Auth.UserFeatures.UserMasterPassword.Interfaces;
 using Bit.Core.Enums;
 using Bit.Core.Exceptions;
 using Bit.Core.KeyManagement.Kdf;
+using Bit.Core.KeyManagement.Models.Data;
 using Bit.Core.KeyManagement.Queries.Interfaces;
 using Bit.Core.Models.Api.Response;
 using Bit.Core.Repositories;
@ -37,13 +38,16 @@ public class AccountsController : Controller
    private readonly IProviderUserRepository _providerUserRepository;
    private readonly IUserService _userService;
    private readonly IPolicyService _policyService;
+    private readonly ISetInitialMasterPasswordCommandV1 _setInitialMasterPasswordCommandV1;
    private readonly ISetInitialMasterPasswordCommand _setInitialMasterPasswordCommand;
+    private readonly ITdeSetPasswordCommand _tdeSetPasswordCommand;
    private readonly ITdeOffboardingPasswordCommand _tdeOffboardingPasswordCommand;
    private readonly ITwoFactorIsEnabledQuery _twoFactorIsEnabledQuery;
    private readonly IFeatureService _featureService;
    private readonly IUserAccountKeysQuery _userAccountKeysQuery;
    private readonly ITwoFactorEmailService _twoFactorEmailService;
    private readonly IChangeKdfCommand _changeKdfCommand;
+    private readonly IUserRepository _userRepository;

    public AccountsController(
        IOrganizationService organizationService,
@ -52,12 +56,15 @@ public class AccountsController : Controller
        IUserService userService,
        IPolicyService policyService,
        ISetInitialMasterPasswordCommand setInitialMasterPasswordCommand,
+        ISetInitialMasterPasswordCommandV1 setInitialMasterPasswordCommandV1,
+        ITdeSetPasswordCommand tdeSetPasswordCommand,
        ITdeOffboardingPasswordCommand tdeOffboardingPasswordCommand,
        ITwoFactorIsEnabledQuery twoFactorIsEnabledQuery,
        IFeatureService featureService,
        IUserAccountKeysQuery userAccountKeysQuery,
        ITwoFactorEmailService twoFactorEmailService,
-        IChangeKdfCommand changeKdfCommand
+        IChangeKdfCommand changeKdfCommand,
+        IUserRepository userRepository
        )
    {
        _organizationService = organizationService;
@ -66,12 +73,15 @@ public class AccountsController : Controller
        _userService = userService;
        _policyService = policyService;
        _setInitialMasterPasswordCommand = setInitialMasterPasswordCommand;
+        _setInitialMasterPasswordCommandV1 = setInitialMasterPasswordCommandV1;
+        _tdeSetPasswordCommand = tdeSetPasswordCommand;
        _tdeOffboardingPasswordCommand = tdeOffboardingPasswordCommand;
        _twoFactorIsEnabledQuery = twoFactorIsEnabledQuery;
        _featureService = featureService;
        _userAccountKeysQuery = userAccountKeysQuery;
        _twoFactorEmailService = twoFactorEmailService;
        _changeKdfCommand = changeKdfCommand;
+        _userRepository = userRepository;
    }


@ -204,7 +214,7 @@ public class AccountsController : Controller
    }

    [HttpPost("set-password")]
-    public async Task PostSetPasswordAsync([FromBody] SetPasswordRequestModel model)
+    public async Task PostSetPasswordAsync([FromBody] SetInitialPasswordRequestModel model)
    {
        var user = await _userService.GetUserByPrincipalAsync(User);
        if (user == null)
@ -212,33 +222,48 @@ public class AccountsController : Controller
            throw new UnauthorizedAccessException();
        }

-        try
+        if (model.IsV2Request())
        {
-            user = model.ToUser(user);
+            if (model.IsTdeSetPasswordRequest())
+            {
+                await _tdeSetPasswordCommand.SetMasterPasswordAsync(user, model.ToData());
+            }
+            else
+            {
+                await _setInitialMasterPasswordCommand.SetInitialMasterPasswordAsync(user, model.ToData());
+            }
        }
-        catch (Exception e)
+        else
        {
-            ModelState.AddModelError(string.Empty, e.Message);
+            // TODO removed with https://bitwarden.atlassian.net/browse/PM-27327
+            try
+            {
+                user = model.ToUser(user);
+            }
+            catch (Exception e)
+            {
+                ModelState.AddModelError(string.Empty, e.Message);
+                throw new BadRequestException(ModelState);
+            }
+
+            var result = await _setInitialMasterPasswordCommandV1.SetInitialMasterPasswordAsync(
+                user,
+                model.MasterPasswordHash,
+                model.Key,
+                model.OrgIdentifier);
+
+            if (result.Succeeded)
+            {
+                return;
+            }
+
+            foreach (var error in result.Errors)
+            {
+                ModelState.AddModelError(string.Empty, error.Description);
+            }
+
            throw new BadRequestException(ModelState);
        }
-
-        var result = await _setInitialMasterPasswordCommand.SetInitialMasterPasswordAsync(
-            user,
-            model.MasterPasswordHash,
-            model.Key,
-            model.OrgIdentifier);
-
-        if (result.Succeeded)
-        {
-            return;
-        }
-
-        foreach (var error in result.Errors)
-        {
-            ModelState.AddModelError(string.Empty, error.Description);
-        }
-
-        throw new BadRequestException(ModelState);
    }

    [HttpPost("verify-password")]
@ -432,16 +457,36 @@ public class AccountsController : Controller
            throw new UnauthorizedAccessException();
        }

-        if (_featureService.IsEnabled(FeatureFlagKeys.ReturnErrorOnExistingKeypair))
+        if (!string.IsNullOrWhiteSpace(user.PrivateKey) || !string.IsNullOrWhiteSpace(user.PublicKey))
        {
-            if (!string.IsNullOrWhiteSpace(user.PrivateKey) || !string.IsNullOrWhiteSpace(user.PublicKey))
-            {
-                throw new BadRequestException("User has existing keypair");
-            }
+            throw new BadRequestException("User has existing keypair");
+        }
+
+        if (model.AccountKeys != null)
+        {
+            var accountKeysData = model.AccountKeys.ToAccountKeysData();
+            if (!accountKeysData.IsV2Encryption())
+            {
+                throw new BadRequestException("AccountKeys are only supported for V2 encryption.");
+            }
+            await _userRepository.SetV2AccountCryptographicStateAsync(user.Id, accountKeysData);
+            return new KeysResponseModel(accountKeysData, user.Key);
+        }
+        else
+        {
+            // Todo: Drop this after a transition period. This will drop no-account-keys requests.
+            // The V1 check in the other branch should persist
+            // https://bitwarden.atlassian.net/browse/PM-27329
+            await _userService.SaveUserAsync(model.ToUser(user));
+            return new KeysResponseModel(new UserAccountKeysData
+            {
+                PublicKeyEncryptionKeyPairData = new PublicKeyEncryptionKeyPairData(
+                    user.PrivateKey,
+                    user.PublicKey
+                )
+            }, user.Key);
        }

-        await _userService.SaveUserAsync(model.ToUser(user));
-        return new KeysResponseModel(user);
    }

    [HttpGet("keys")]
@ -453,7 +498,8 @@ public class AccountsController : Controller
            throw new UnauthorizedAccessException();
        }

-        return new KeysResponseModel(user);
+        var accountKeys = await _userAccountKeysQuery.Run(user);
+        return new KeysResponseModel(accountKeys, user.Key);
    }

    [HttpDelete]
--- a/src/Api/Auth/Controllers/TwoFactorController.cs
+++ b/src/Api/Auth/Controllers/TwoFactorController.cs
@ -9,7 +9,6 @@ using Bit.Api.Models.Response;
 using Bit.Core.Auth.Enums;
 using Bit.Core.Auth.Identity;
 using Bit.Core.Auth.Identity.TokenProviders;
-using Bit.Core.Auth.LoginFeatures.PasswordlessLogin.Interfaces;
 using Bit.Core.Auth.Models.Business.Tokenables;
 using Bit.Core.Auth.Services;
 using Bit.Core.Context;
@ -35,7 +34,7 @@ public class TwoFactorController : Controller
    private readonly IOrganizationService _organizationService;
    private readonly UserManager<User> _userManager;
    private readonly ICurrentContext _currentContext;
-    private readonly IVerifyAuthRequestCommand _verifyAuthRequestCommand;
+    private readonly IAuthRequestRepository _authRequestRepository;
    private readonly IDuoUniversalTokenService _duoUniversalTokenService;
    private readonly IDataProtectorTokenFactory<TwoFactorAuthenticatorUserVerificationTokenable> _twoFactorAuthenticatorDataProtector;
    private readonly IDataProtectorTokenFactory<SsoEmail2faSessionTokenable> _ssoEmailTwoFactorSessionDataProtector;
@ -47,7 +46,7 @@ public class TwoFactorController : Controller
        IOrganizationService organizationService,
        UserManager<User> userManager,
        ICurrentContext currentContext,
-        IVerifyAuthRequestCommand verifyAuthRequestCommand,
+        IAuthRequestRepository authRequestRepository,
        IDuoUniversalTokenService duoUniversalConfigService,
        IDataProtectorTokenFactory<TwoFactorAuthenticatorUserVerificationTokenable> twoFactorAuthenticatorDataProtector,
        IDataProtectorTokenFactory<SsoEmail2faSessionTokenable> ssoEmailTwoFactorSessionDataProtector,
@ -58,7 +57,7 @@ public class TwoFactorController : Controller
        _organizationService = organizationService;
        _userManager = userManager;
        _currentContext = currentContext;
-        _verifyAuthRequestCommand = verifyAuthRequestCommand;
+        _authRequestRepository = authRequestRepository;
        _duoUniversalTokenService = duoUniversalConfigService;
        _twoFactorAuthenticatorDataProtector = twoFactorAuthenticatorDataProtector;
        _ssoEmailTwoFactorSessionDataProtector = ssoEmailTwoFactorSessionDataProtector;
@ -350,14 +349,15 @@ public class TwoFactorController : Controller

        if (user != null)
        {
-            // Check if 2FA email is from Passwordless.
+            // Check if 2FA email is from a device approval ("Log in with device") scenario.
            if (!string.IsNullOrEmpty(requestModel.AuthRequestAccessCode))
            {
-                if (await _verifyAuthRequestCommand
-                        .VerifyAuthRequestAsync(new Guid(requestModel.AuthRequestId),
-                            requestModel.AuthRequestAccessCode))
+                var authRequest = await _authRequestRepository.GetByIdAsync(new Guid(requestModel.AuthRequestId));
+                if (authRequest != null &&
+                    authRequest.IsValidForAuthentication(user.Id, requestModel.AuthRequestAccessCode))
                {
                    await _twoFactorEmailService.SendTwoFactorEmailAsync(user);
+                    return;
                }
            }
            else if (!string.IsNullOrEmpty(requestModel.SsoEmail2FaSessionToken))
--- a/src/Api/Auth/Controllers/WebAuthnController.cs
+++ b/src/Api/Auth/Controllers/WebAuthnController.cs
@ -21,7 +21,6 @@ using Microsoft.AspNetCore.Mvc;
 namespace Bit.Api.Auth.Controllers;

 [Route("webauthn")]
-[Authorize(Policies.Web)]
 public class WebAuthnController : Controller
 {
    private readonly IUserService _userService;
@ -62,6 +61,7 @@ public class WebAuthnController : Controller
        _featureService = featureService;
    }

+    [Authorize(Policies.Web)]
    [HttpGet("")]
    public async Task<ListResponseModel<WebAuthnCredentialResponseModel>> Get()
    {
@ -71,6 +71,7 @@ public class WebAuthnController : Controller
        return new ListResponseModel<WebAuthnCredentialResponseModel>(credentials.Select(c => new WebAuthnCredentialResponseModel(c)));
    }

+    [Authorize(Policies.Application)]
    [HttpPost("attestation-options")]
    public async Task<WebAuthnCredentialCreateOptionsResponseModel> AttestationOptions([FromBody] SecretVerificationRequestModel model)
    {
@ -88,6 +89,7 @@ public class WebAuthnController : Controller
        };
    }

+    [Authorize(Policies.Web)]
    [HttpPost("assertion-options")]
    public async Task<WebAuthnLoginAssertionOptionsResponseModel> AssertionOptions([FromBody] SecretVerificationRequestModel model)
    {
@ -104,6 +106,7 @@ public class WebAuthnController : Controller
        };
    }

+    [Authorize(Policies.Application)]
    [HttpPost("")]
    public async Task Post([FromBody] WebAuthnLoginCredentialCreateRequestModel model)
    {
@ -149,6 +152,7 @@ public class WebAuthnController : Controller
        }
    }

+    [Authorize(Policies.Application)]
    [HttpPut()]
    public async Task UpdateCredential([FromBody] WebAuthnLoginCredentialUpdateRequestModel model)
    {
@ -172,6 +176,7 @@ public class WebAuthnController : Controller
        await _credentialRepository.UpdateAsync(credential);
    }

+    [Authorize(Policies.Web)]
    [HttpPost("{id}/delete")]
    public async Task Delete(Guid id, [FromBody] SecretVerificationRequestModel model)
    {
--- a/src/Api/Auth/Models/Request/Accounts/SetInitialPasswordRequestModel.cs
+++ b/src/Api/Auth/Models/Request/Accounts/SetInitialPasswordRequestModel.cs
@ -0,0 +1,160 @@
+using System.ComponentModel.DataAnnotations;
+using Bit.Api.KeyManagement.Models.Requests;
+using Bit.Core.Auth.Models.Api.Request.Accounts;
+using Bit.Core.Auth.Models.Data;
+using Bit.Core.Entities;
+using Bit.Core.Enums;
+using Bit.Core.KeyManagement.Models.Api.Request;
+using Bit.Core.Utilities;
+
+namespace Bit.Api.Auth.Models.Request.Accounts;
+
+public class SetInitialPasswordRequestModel : IValidatableObject
+{
+    // TODO will be removed with https://bitwarden.atlassian.net/browse/PM-27327
+    [Obsolete("Use MasterPasswordAuthentication instead")]
+    [StringLength(300)]
+    public string? MasterPasswordHash { get; set; }
+
+    [Obsolete("Use MasterPasswordUnlock instead")]
+    public string? Key { get; set; }
+
+    [Obsolete("Use AccountKeys instead")]
+    public KeysRequestModel? Keys { get; set; }
+
+    [Obsolete("Use MasterPasswordAuthentication instead")]
+    public KdfType? Kdf { get; set; }
+
+    [Obsolete("Use MasterPasswordAuthentication instead")]
+    public int? KdfIterations { get; set; }
+
+    [Obsolete("Use MasterPasswordAuthentication instead")]
+    public int? KdfMemory { get; set; }
+
+    [Obsolete("Use MasterPasswordAuthentication instead")]
+    public int? KdfParallelism { get; set; }
+
+    public MasterPasswordAuthenticationDataRequestModel? MasterPasswordAuthentication { get; set; }
+    public MasterPasswordUnlockDataRequestModel? MasterPasswordUnlock { get; set; }
+    public AccountKeysRequestModel? AccountKeys { get; set; }
+
+    [StringLength(50)]
+    public string? MasterPasswordHint { get; set; }
+
+    [Required]
+    public required string OrgIdentifier { get; set; }
+
+    // TODO removed with https://bitwarden.atlassian.net/browse/PM-27327
+    public User ToUser(User existingUser)
+    {
+        existingUser.MasterPasswordHint = MasterPasswordHint;
+        existingUser.Kdf = Kdf!.Value;
+        existingUser.KdfIterations = KdfIterations!.Value;
+        existingUser.KdfMemory = KdfMemory;
+        existingUser.KdfParallelism = KdfParallelism;
+        existingUser.Key = Key;
+        Keys?.ToUser(existingUser);
+        return existingUser;
+    }
+
+    public IEnumerable<ValidationResult> Validate(ValidationContext validationContext)
+    {
+        if (IsV2Request())
+        {
+            // V2 registration
+
+            // Validate Kdf
+            var authenticationKdf = MasterPasswordAuthentication!.Kdf.ToData();
+            var unlockKdf = MasterPasswordUnlock!.Kdf.ToData();
+
+            // Currently, KDF settings are not saved separately for authentication and unlock and must therefore be equal
+            if (!authenticationKdf.Equals(unlockKdf))
+            {
+                yield return new ValidationResult("KDF settings must be equal for authentication and unlock.",
+                    [$"{nameof(MasterPasswordAuthentication)}.{nameof(MasterPasswordAuthenticationDataRequestModel.Kdf)}",
+                        $"{nameof(MasterPasswordUnlock)}.{nameof(MasterPasswordUnlockDataRequestModel.Kdf)}"]);
+            }
+
+            var authenticationValidationErrors = KdfSettingsValidator.Validate(authenticationKdf).ToList();
+            if (authenticationValidationErrors.Count != 0)
+            {
+                yield return authenticationValidationErrors.First();
+            }
+
+            var unlockValidationErrors = KdfSettingsValidator.Validate(unlockKdf).ToList();
+            if (unlockValidationErrors.Count != 0)
+            {
+                yield return unlockValidationErrors.First();
+            }
+
+            yield break;
+        }
+
+        // V1 registration
+        // TODO removed with https://bitwarden.atlassian.net/browse/PM-27327
+        if (string.IsNullOrEmpty(MasterPasswordHash))
+        {
+            yield return new ValidationResult("MasterPasswordHash must be supplied.");
+        }
+
+        if (string.IsNullOrEmpty(Key))
+        {
+            yield return new ValidationResult("Key must be supplied.");
+        }
+
+        if (Kdf == null)
+        {
+            yield return new ValidationResult("Kdf must be supplied.");
+            yield break;
+        }
+
+        if (KdfIterations == null)
+        {
+            yield return new ValidationResult("KdfIterations must be supplied.");
+            yield break;
+        }
+
+        if (Kdf == KdfType.Argon2id)
+        {
+            if (KdfMemory == null)
+            {
+                yield return new ValidationResult("KdfMemory must be supplied when Kdf is Argon2id.");
+            }
+
+            if (KdfParallelism == null)
+            {
+                yield return new ValidationResult("KdfParallelism must be supplied when Kdf is Argon2id.");
+            }
+        }
+
+        var validationErrors = KdfSettingsValidator
+            .Validate(Kdf!.Value, KdfIterations!.Value, KdfMemory, KdfParallelism).ToList();
+        if (validationErrors.Count != 0)
+        {
+            yield return validationErrors.First();
+        }
+    }
+
+    public bool IsV2Request()
+    {
+        // AccountKeys can be null for TDE users, so we don't check that here
+        return MasterPasswordAuthentication != null && MasterPasswordUnlock != null;
+    }
+
+    public bool IsTdeSetPasswordRequest()
+    {
+        return AccountKeys == null;
+    }
+
+    public SetInitialMasterPasswordDataModel ToData()
+    {
+        return new SetInitialMasterPasswordDataModel
+        {
+            MasterPasswordAuthentication = MasterPasswordAuthentication!.ToData(),
+            MasterPasswordUnlock = MasterPasswordUnlock!.ToData(),
+            OrgSsoIdentifier = OrgIdentifier,
+            AccountKeys = AccountKeys?.ToAccountKeysData(),
+            MasterPasswordHint = MasterPasswordHint
+        };
+    }
+}
--- a/src/Api/Auth/Models/Request/Accounts/SetPasswordRequestModel.cs
+++ b/src/Api/Auth/Models/Request/Accounts/SetPasswordRequestModel.cs
@ -1,40 +0,0 @@
-// FIXME: Update this file to be null safe and then delete the line below
-#nullable disable
-
-using System.ComponentModel.DataAnnotations;
-using Bit.Core.Auth.Models.Api.Request.Accounts;
-using Bit.Core.Entities;
-using Bit.Core.Enums;
-
-namespace Bit.Api.Auth.Models.Request.Accounts;
-
-public class SetPasswordRequestModel
-{
-    [Required]
-    [StringLength(300)]
-    public string MasterPasswordHash { get; set; }
-    [Required]
-    public string Key { get; set; }
-    [StringLength(50)]
-    public string MasterPasswordHint { get; set; }
-    public KeysRequestModel Keys { get; set; }
-    [Required]
-    public KdfType Kdf { get; set; }
-    [Required]
-    public int KdfIterations { get; set; }
-    public int? KdfMemory { get; set; }
-    public int? KdfParallelism { get; set; }
-    public string OrgIdentifier { get; set; }
-
-    public User ToUser(User existingUser)
-    {
-        existingUser.MasterPasswordHint = MasterPasswordHint;
-        existingUser.Kdf = Kdf;
-        existingUser.KdfIterations = KdfIterations;
-        existingUser.KdfMemory = KdfMemory;
-        existingUser.KdfParallelism = KdfParallelism;
-        existingUser.Key = Key;
-        Keys?.ToUser(existingUser);
-        return existingUser;
-    }
-}
--- a/src/Api/Auth/Models/Request/TwoFactorRequestModels.cs
+++ b/src/Api/Auth/Models/Request/TwoFactorRequestModels.cs
@ -273,7 +273,7 @@ public class TwoFactorWebAuthnDeleteRequestModel : SecretVerificationRequestMode
            yield return validationResult;
        }

-        if (!Id.HasValue || Id < 0 || Id > 5)
+        if (!Id.HasValue)
        {
            yield return new ValidationResult("Invalid Key Id", new string[] { nameof(Id) });
        }
--- a/src/Api/Billing/Controllers/AccountsBillingController.cs
+++ b/src/Api/Billing/Controllers/AccountsBillingController.cs
@ -1,7 +1,5 @@
-#nullable enable
-using Bit.Api.Billing.Models.Responses;
+using Bit.Api.Billing.Models.Responses;
 using Bit.Core.Billing.Services;
-using Bit.Core.Billing.Tax.Requests;
 using Bit.Core.Services;
 using Bit.Core.Utilities;
 using Microsoft.AspNetCore.Authorization;
@ -12,10 +10,11 @@ namespace Bit.Api.Billing.Controllers;
 [Route("accounts/billing")]
 [Authorize("Application")]
 public class AccountsBillingController(
-    IPaymentService paymentService,
+    IStripePaymentService paymentService,
    IUserService userService,
    IPaymentHistoryService paymentHistoryService) : Controller
 {
+    // TODO: Migrate to Query / AccountBillingVNextController
    [HttpGet("history")]
    [SelfHosted(NotSelfHostedOnly = true)]
    public async Task<BillingHistoryResponseModel> GetBillingHistoryAsync()
@ -30,20 +29,7 @@ public class AccountsBillingController(
        return new BillingHistoryResponseModel(billingInfo);
    }

-    [HttpGet("payment-method")]
-    [SelfHosted(NotSelfHostedOnly = true)]
-    public async Task<BillingPaymentResponseModel> GetPaymentMethodAsync()
-    {
-        var user = await userService.GetUserByPrincipalAsync(User);
-        if (user == null)
-        {
-            throw new UnauthorizedAccessException();
-        }
-
-        var billingInfo = await paymentService.GetBillingAsync(user);
-        return new BillingPaymentResponseModel(billingInfo);
-    }
-
+    // TODO: Migrate to Query / AccountBillingVNextController
    [HttpGet("invoices")]
    public async Task<IResult> GetInvoicesAsync([FromQuery] string? status = null, [FromQuery] string? startAfter = null)
    {
@ -62,6 +48,7 @@ public class AccountsBillingController(
        return TypedResults.Ok(invoices);
    }

+    // TODO: Migrate to Query / AccountBillingVNextController
    [HttpGet("transactions")]
    public async Task<IResult> GetTransactionsAsync([FromQuery] DateTime? startAfter = null)
    {
@ -78,18 +65,4 @@ public class AccountsBillingController(

        return TypedResults.Ok(transactions);
    }
-
-    [HttpPost("preview-invoice")]
-    public async Task<IResult> PreviewInvoiceAsync([FromBody] PreviewIndividualInvoiceRequestBody model)
-    {
-        var user = await userService.GetUserByPrincipalAsync(User);
-        if (user == null)
-        {
-            throw new UnauthorizedAccessException();
-        }
-
-        var invoice = await paymentService.PreviewInvoiceAsync(model, user.GatewayCustomerId, user.GatewaySubscriptionId);
-
-        return TypedResults.Ok(invoice);
-    }
 }
--- a/src/Api/Billing/Controllers/AccountsController.cs
+++ b/src/Api/Billing/Controllers/AccountsController.cs
@ -1,17 +1,12 @@
-#nullable enable
-
-using Bit.Api.Models.Request;
+using Bit.Api.Models.Request;
 using Bit.Api.Models.Request.Accounts;
 using Bit.Api.Models.Response;
 using Bit.Api.Utilities;
 using Bit.Core;
-using Bit.Core.Auth.UserFeatures.TwoFactorAuth.Interfaces;
 using Bit.Core.Billing.Models;
 using Bit.Core.Billing.Models.Business;
 using Bit.Core.Billing.Services;
 using Bit.Core.Exceptions;
-using Bit.Core.KeyManagement.Queries.Interfaces;
-using Bit.Core.Models.Business;
 using Bit.Core.Services;
 using Bit.Core.Settings;
 using Bit.Core.Utilities;
@ -24,61 +19,14 @@ namespace Bit.Api.Billing.Controllers;
 [Authorize("Application")]
 public class AccountsController(
    IUserService userService,
-    ITwoFactorIsEnabledQuery twoFactorIsEnabledQuery,
-    IUserAccountKeysQuery userAccountKeysQuery,
-    IFeatureService featureService) : Controller
+    IFeatureService featureService,
+    ILicensingService licensingService) : Controller
 {
-    [HttpPost("premium")]
-    public async Task<PaymentResponseModel> PostPremiumAsync(
-        PremiumRequestModel model,
-        [FromServices] GlobalSettings globalSettings)
-    {
-        var user = await userService.GetUserByPrincipalAsync(User);
-        if (user == null)
-        {
-            throw new UnauthorizedAccessException();
-        }
-
-        var valid = model.Validate(globalSettings);
-        UserLicense? license = null;
-        if (valid && globalSettings.SelfHosted)
-        {
-            license = await ApiHelpers.ReadJsonFileFromBody<UserLicense>(HttpContext, model.License);
-        }
-
-        if (!valid && !globalSettings.SelfHosted && string.IsNullOrWhiteSpace(model.Country))
-        {
-            throw new BadRequestException("Country is required.");
-        }
-
-        if (!valid || (globalSettings.SelfHosted && license == null))
-        {
-            throw new BadRequestException("Invalid license.");
-        }
-
-        var result = await userService.SignUpPremiumAsync(user, model.PaymentToken,
-            model.PaymentMethodType!.Value, model.AdditionalStorageGb.GetValueOrDefault(0), license,
-            new TaxInfo { BillingAddressCountry = model.Country, BillingAddressPostalCode = model.PostalCode });
-
-        var userTwoFactorEnabled = await twoFactorIsEnabledQuery.TwoFactorIsEnabledAsync(user);
-        var userHasPremiumFromOrganization = await userService.HasPremiumFromOrganization(user);
-        var organizationIdsClaimingActiveUser = await GetOrganizationIdsClaimingUserAsync(user.Id);
-        var accountKeys = await userAccountKeysQuery.Run(user);
-
-        var profile = new ProfileResponseModel(user, accountKeys, null, null, null, userTwoFactorEnabled,
-            userHasPremiumFromOrganization, organizationIdsClaimingActiveUser);
-        return new PaymentResponseModel
-        {
-            UserProfile = profile,
-            PaymentIntentClientSecret = result.Item2,
-            Success = result.Item1
-        };
-    }
-
+    // TODO: Migrate to Query / AccountBillingVNextController as part of Premium -> Organization upgrade work.
    [HttpGet("subscription")]
    public async Task<SubscriptionResponseModel> GetSubscriptionAsync(
        [FromServices] GlobalSettings globalSettings,
-        [FromServices] IPaymentService paymentService)
+        [FromServices] IStripePaymentService paymentService)
    {
        var user = await userService.GetUserByPrincipalAsync(User);
        if (user == null)
@ -97,12 +45,14 @@ public class AccountsController(
                var includeMilestone2Discount = featureService.IsEnabled(FeatureFlagKeys.PM23341_Milestone_2);
                var subscriptionInfo = await paymentService.GetSubscriptionAsync(user);
                var license = await userService.GenerateLicenseAsync(user, subscriptionInfo);
-                return new SubscriptionResponseModel(user, subscriptionInfo, license, includeMilestone2Discount);
+                var claimsPrincipal = licensingService.GetClaimsPrincipalFromLicense(license);
+                return new SubscriptionResponseModel(user, subscriptionInfo, license, claimsPrincipal, includeMilestone2Discount);
            }
            else
            {
                var license = await userService.GenerateLicenseAsync(user);
-                return new SubscriptionResponseModel(user, license);
+                var claimsPrincipal = licensingService.GetClaimsPrincipalFromLicense(license);
+                return new SubscriptionResponseModel(user, null, license, claimsPrincipal);
            }
        }
        else
@ -111,29 +61,7 @@ public class AccountsController(
        }
    }

-    [HttpPost("payment")]
-    [SelfHosted(NotSelfHostedOnly = true)]
-    public async Task PostPaymentAsync([FromBody] PaymentRequestModel model)
-    {
-        var user = await userService.GetUserByPrincipalAsync(User);
-        if (user == null)
-        {
-            throw new UnauthorizedAccessException();
-        }
-
-        await userService.ReplacePaymentMethodAsync(user, model.PaymentToken, model.PaymentMethodType!.Value,
-            new TaxInfo
-            {
-                BillingAddressLine1 = model.Line1,
-                BillingAddressLine2 = model.Line2,
-                BillingAddressCity = model.City,
-                BillingAddressState = model.State,
-                BillingAddressCountry = model.Country,
-                BillingAddressPostalCode = model.PostalCode,
-                TaxIdNumber = model.TaxId
-            });
-    }
-
+    // TODO: Migrate to Command / AccountBillingVNextController as PUT /account/billing/vnext/subscription
    [HttpPost("storage")]
    [SelfHosted(NotSelfHostedOnly = true)]
    public async Task<PaymentResponseModel> PostStorageAsync([FromBody] StorageRequestModel model)
@ -148,8 +76,11 @@ public class AccountsController(
        return new PaymentResponseModel { Success = true, PaymentIntentClientSecret = result };
    }

-
-
+    /*
+     * TODO: A new version of this exists in the AccountBillingVNextController.
+     * The individual-self-hosting-license-uploader.component needs to be updated to use it.
+     * Then, this can be removed.
+     */
    [HttpPost("license")]
    [SelfHosted(SelfHostedOnly = true)]
    public async Task PostLicenseAsync(LicenseRequestModel model)
@ -169,6 +100,7 @@ public class AccountsController(
        await userService.UpdateLicenseAsync(user, license);
    }

+    // TODO: Migrate to Command / AccountBillingVNextController as DELETE /account/billing/vnext/subscription
    [HttpPost("cancel")]
    public async Task PostCancelAsync(
        [FromBody] SubscriptionCancellationRequestModel request,
@ -186,6 +118,7 @@ public class AccountsController(
            user.IsExpired());
    }

+    // TODO: Migrate to Command / AccountBillingVNextController as POST /account/billing/vnext/subscription/reinstate
    [HttpPost("reinstate-premium")]
    [SelfHosted(NotSelfHostedOnly = true)]
    public async Task PostReinstateAsync()
@ -199,41 +132,6 @@ public class AccountsController(
        await userService.ReinstatePremiumAsync(user);
    }

-    [HttpGet("tax")]
-    [SelfHosted(NotSelfHostedOnly = true)]
-    public async Task<TaxInfoResponseModel> GetTaxInfoAsync(
-        [FromServices] IPaymentService paymentService)
-    {
-        var user = await userService.GetUserByPrincipalAsync(User);
-        if (user == null)
-        {
-            throw new UnauthorizedAccessException();
-        }
-
-        var taxInfo = await paymentService.GetTaxInfoAsync(user);
-        return new TaxInfoResponseModel(taxInfo);
-    }
-
-    [HttpPut("tax")]
-    [SelfHosted(NotSelfHostedOnly = true)]
-    public async Task PutTaxInfoAsync(
-        [FromBody] TaxInfoUpdateRequestModel model,
-        [FromServices] IPaymentService paymentService)
-    {
-        var user = await userService.GetUserByPrincipalAsync(User);
-        if (user == null)
-        {
-            throw new UnauthorizedAccessException();
-        }
-
-        var taxInfo = new TaxInfo
-        {
-            BillingAddressPostalCode = model.PostalCode,
-            BillingAddressCountry = model.Country,
-        };
-        await paymentService.SaveTaxInfoAsync(user, taxInfo);
-    }
-
    private async Task<IEnumerable<Guid>> GetOrganizationIdsClaimingUserAsync(Guid userId)
    {
        var organizationsClaimingUser = await userService.GetOrganizationsClaimingUserAsync(userId);
--- a/Show more
+++ b/Show more