chore(flags): [PM-28337] Remove account recovery permission feature flag

* Removed pm-24425-send-2fa-failed-email * Remove feature flag * Linting * Removed tests and cleaned up comment.
[PM-25949] ExternalCallback Integration tests for SSO Project (#6809 )
2026-01-12 06:53:23 +00:00 · 2026-01-11 12:04:10 -05:00 · 2026-01-10 09:02:50 -05:00 · 2026-01-09 16:34:06 +01:00 · 2026-01-09 10:04:52 -05:00 · 2026-01-09 09:17:45 +01:00
1690 changed files with 275983 additions and 24046 deletions
--- a/.claude/CLAUDE.md
+++ b/.claude/CLAUDE.md
@ -0,0 +1,77 @@
+# Bitwarden Server - Claude Code Configuration
+
+## Project Context Files
+
+**Read these files before reviewing to ensure that you fully understand the project and contributing guidelines**
+
+1. @README.md
+2. @CONTRIBUTING.md
+3. @.github/PULL_REQUEST_TEMPLATE.md
+
+## Critical Rules
+
+- **NEVER** use code regions: If complexity suggests regions, refactor for better readability
+
+- **NEVER** compromise zero-knowledge principles: User vault data must remain encrypted and inaccessible to Bitwarden
+
+- **NEVER** log or expose sensitive data: No PII, passwords, keys, or vault data in logs or error messages
+
+- **ALWAYS** use secure communication channels: Enforce confidentiality, integrity, and authenticity
+
+- **ALWAYS** encrypt sensitive data: All vault data must be encrypted at rest, in transit, and in use
+
+- **ALWAYS** prioritize cryptographic integrity and data protection
+
+- **ALWAYS** add unit tests (with mocking) for any new feature development
+
+## Project Structure
+
+- **Source Code**: `/src/` - Services and core infrastructure
+- **Tests**: `/test/` - Test logic aligning with the source structure, albeit with a `.Test` suffix
+- **Utilities**: `/util/` - Migration tools, seeders, and setup scripts
+- **Dev Tools**: `/dev/` - Local development helpers
+- **Configuration**: `appsettings.{Environment}.json`, `/dev/secrets.json` for local development
+
+## Security Requirements
+
+- **Compliance**: SOC 2 Type II, SOC 3, HIPAA, ISO 27001, GDPR, CCPA
+- **Principles**: Zero-knowledge, end-to-end encryption, secure defaults
+- **Validation**: Input sanitization, parameterized queries, rate limiting
+- **Logging**: Structured logs, no PII/sensitive data in logs
+
+## Common Commands
+
+- **Build**: `dotnet build`
+- **Test**: `dotnet test`
+- **Run locally**: `dotnet run --project src/Api`
+- **Database update**: `pwsh dev/migrate.ps1`
+- **Generate OpenAPI**: `pwsh dev/generate_openapi_files.ps1`
+
+## Development Workflow
+
+- Security impact assessed
+- xUnit tests added / updated
+- Performance impact considered
+- Error handling implemented
+- Breaking changes documented
+- CI passes: build, test, lint
+- Feature flags considered for new features
+- CODEOWNERS file respected
+
+### Key Architectural Decisions
+
+- Use .NET nullable reference types (ADR 0024)
+- TryAdd dependency injection pattern (ADR 0026)
+- Authorization patterns (ADR 0022)
+- OpenTelemetry for observability (ADR 0020)
+- Log to standard output (ADR 0021)
+
+## References
+
+- [Server architecture](https://contributing.bitwarden.com/architecture/server/)
+- [Architectural Decision Records (ADRs)](https://contributing.bitwarden.com/architecture/adr/)
+- [Contributing guidelines](https://contributing.bitwarden.com/contributing/)
+- [Setup guide](https://contributing.bitwarden.com/getting-started/server/guide/)
+- [Code style](https://contributing.bitwarden.com/contributing/code-style/)
+- [Bitwarden security whitepaper](https://bitwarden.com/help/bitwarden-security-white-paper/)
+- [Bitwarden security definitions](https://contributing.bitwarden.com/architecture/security/definitions)
--- a/.config/dotnet-tools.json
+++ b/.config/dotnet-tools.json
@ -3,7 +3,7 @@
  "isRoot": true,
  "tools": {
    "swashbuckle.aspnetcore.cli": {
-      "version": "9.0.2",
+      "version": "9.0.4",
      "commands": ["swagger"]
    },
    "dotnet-ef": {
--- a/.editorconfig
+++ b/.editorconfig
@ -123,3 +123,12 @@ csharp_style_namespace_declarations = file_scoped:warning
 # Switch expression
 dotnet_diagnostic.CS8509.severity = error # missing switch case for named enum value
 dotnet_diagnostic.CS8524.severity = none # missing switch case for unnamed enum value
+
+# CA2253: Named placeholders should nto be numeric values
+dotnet_diagnostic.CA2253.severity = suggestion
+
+# CA2254: Template should be a static expression
+dotnet_diagnostic.CA2254.severity = warning
+
+# CA1727: Use PascalCase for named placeholders
+dotnet_diagnostic.CA1727.severity = suggestion
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@ -4,11 +4,12 @@
 #
 # https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners

-## Docker files have shared ownership ##
-**/Dockerfile
-**/*.Dockerfile
-**/.dockerignore
-**/entrypoint.sh
+## Docker-related files
+**/Dockerfile @bitwarden/team-appsec @bitwarden/dept-bre
+**/*.Dockerfile @bitwarden/team-appsec @bitwarden/dept-bre
+**/*.dockerignore @bitwarden/team-appsec @bitwarden/dept-bre
+**/docker-compose.yml @bitwarden/team-appsec @bitwarden/dept-bre
+**/entrypoint.sh @bitwarden/team-appsec @bitwarden/dept-bre

 ## BRE team owns these workflows ##
 .github/workflows/publish.yml @bitwarden/dept-bre
@ -35,6 +36,7 @@ util/Setup/** @bitwarden/dept-bre @bitwarden/team-platform-dev

 # UIF
 src/Core/MailTemplates/Mjml @bitwarden/team-ui-foundation # Teams are expected to own sub-directories of this project
+src/Core/MailTemplates/Mjml/.mjmlconfig # This change allows teams to add components within their own subdirectories without requiring a code review from UIF.

 # Auth team
 **/Auth @bitwarden/team-auth-dev
@ -51,6 +53,11 @@ src/Core/IdentityServer @bitwarden/team-auth-dev

 # Dirt (Data Insights & Reporting) team
 **/Dirt @bitwarden/team-data-insights-and-reporting-dev
+src/Events @bitwarden/team-data-insights-and-reporting-dev
+src/EventsProcessor @bitwarden/team-data-insights-and-reporting-dev
+test/Events.IntegrationTest @bitwarden/team-data-insights-and-reporting-dev
+test/Events.Test @bitwarden/team-data-insights-and-reporting-dev
+test/EventsProcessor.Test @bitwarden/team-data-insights-and-reporting-dev

 # Vault team
 **/Vault @bitwarden/team-vault-dev
@ -61,8 +68,6 @@ src/Core/IdentityServer @bitwarden/team-auth-dev
 bitwarden_license/src/Scim @bitwarden/team-admin-console-dev
 bitwarden_license/src/test/Scim.IntegrationTest @bitwarden/team-admin-console-dev
 bitwarden_license/src/test/Scim.ScimTest @bitwarden/team-admin-console-dev
-src/Events @bitwarden/team-admin-console-dev
-src/EventsProcessor @bitwarden/team-admin-console-dev

 # Billing team
 **/*billing* @bitwarden/team-billing-dev
@ -95,6 +100,14 @@ src/Admin/Views/Tools @bitwarden/team-billing-dev
 # The PushType enum is expected to be editted by anyone without need for Platform review
 src/Core/Platform/Push/PushType.cs

+# SDK
+util/RustSdk @bitwarden/team-sdk-sme
+
 # Multiple owners - DO NOT REMOVE (BRE)
 **/packages.lock.json
 Directory.Build.props
+
+# Claude related files
+.claude/ @bitwarden/team-ai-sme
+.github/workflows/respond.yml @bitwarden/team-ai-sme
+.github/workflows/review-code.yml @bitwarden/team-ai-sme
--- a/.github/ISSUE_TEMPLATE/bw-unified.yml
+++ b/.github/ISSUE_TEMPLATE/bw-unified.yml
@ -1,6 +1,6 @@
-name: Bitwarden Unified Deployment Bug Report
+name: Bitwarden lite Deployment Bug Report
 description: File a bug report
-labels: [bug, bw-unified-deploy]
+labels: [bug, bw-lite-deploy]
 body:
  - type: markdown
    attributes:
@ -70,15 +70,6 @@ body:
        mariadb:10
        # Postgres Example
        postgres:14
-  - type: textarea
-    id: epic-label
-    attributes:
-      label: Issue-Link
-      description: Link to our pinned issue, tracking all Bitwarden Unified
-      value: |
-        https://github.com/bitwarden/server/issues/2480
-    validations:
-      required: true
  - type: checkboxes
    id: issue-tracking-info
    attributes:
--- a/.github/renovate.json5
+++ b/.github/renovate.json5
@ -2,6 +2,7 @@
  $schema: "https://docs.renovatebot.com/renovate-schema.json",
  extends: ["github>bitwarden/renovate-config"], // Extends our default configuration for pinned dependencies
  enabledManagers: [
+    "cargo",
    "dockerfile",
    "docker-compose",
    "github-actions",
@ -9,32 +10,7 @@
    "nuget",
  ],
  packageRules: [
-    {
-      groupName: "dockerfile minor",
-      matchManagers: ["dockerfile"],
-      matchUpdateTypes: ["minor"],
-    },
-    {
-      groupName: "docker-compose minor",
-      matchManagers: ["docker-compose"],
-      matchUpdateTypes: ["minor"],
-    },
-    {
-      groupName: "github-action minor",
-      matchManagers: ["github-actions"],
-      matchUpdateTypes: ["minor"],
-      addLabels: ["hold"],
-    },
-    {
-      // For any Microsoft.Extensions.* and Microsoft.AspNetCore.* packages, we want to create PRs for patch updates.
-      // This overrides the default that ignores patch updates for nuget dependencies.
-      matchPackageNames: [
-          "/^Microsoft\\.Extensions\\./",
-          "/^Microsoft\\.AspNetCore\\./",
-      ],
-      matchUpdateTypes: ["patch"],
-      dependencyDashboardApproval: false,
-    },
+    // ==================== Team Ownership Rules ====================
    {
      matchManagers: ["dockerfile", "docker-compose"],
      commitMessagePrefix: "[deps] BRE:",
@ -53,11 +29,11 @@
    },
    {
      matchPackageNames: [
-        "Azure.Extensions.AspNetCore.DataProtection.Blobs",
        "DuoUniversal",
        "Fido2.AspNet",
        "Duende.IdentityServer",
        "Microsoft.AspNetCore.Authentication.JwtBearer",
+        "Microsoft.Extensions.Caching.Cosmos",
        "Microsoft.Extensions.Identity.Stores",
        "Otp.NET",
        "Sustainsys.Saml2.AspNetCore2",
@ -80,11 +56,7 @@
        "Microsoft.AspNetCore.Mvc.Testing",
        "Newtonsoft.Json",
        "NSubstitute",
-        "Sentry.Serilog",
-        "Serilog.AspNetCore",
-        "Serilog.Extensions.Logging",
        "Serilog.Extensions.Logging.File",
-        "Serilog.Sinks.SyslogMessages",
        "Stripe.net",
        "Swashbuckle.AspNetCore",
        "Swashbuckle.AspNetCore.SwaggerGen",
@ -95,11 +67,6 @@
      commitMessagePrefix: "[deps] Billing:",
      reviewers: ["team:team-billing-dev"],
    },
-    {
-      matchPackageNames: ["/^Microsoft\\.EntityFrameworkCore\\./", "/^dotnet-ef/"],
-      groupName: "EntityFrameworkCore",
-      description: "Group EntityFrameworkCore to exclude them from the dotnet monorepo preset",
-    },
    {
      matchPackageNames: [
        "Dapper",
@ -131,6 +98,7 @@
        "AspNetCoreRateLimit",
        "AspNetCoreRateLimit.Redis",
        "Azure.Data.Tables",
+        "Azure.Extensions.AspNetCore.DataProtection.Blobs",
        "Azure.Messaging.EventGrid",
        "Azure.Messaging.ServiceBus",
        "Azure.Storage.Blobs",
@ -146,7 +114,6 @@
        "Microsoft.Extensions.DependencyInjection",
        "Microsoft.Extensions.Logging",
        "Microsoft.Extensions.Logging.Console",
-        "Microsoft.Extensions.Caching.Cosmos",
        "Microsoft.Extensions.Caching.SqlServer",
        "Microsoft.Extensions.Caching.StackExchangeRedis",
        "Quartz",
@ -155,6 +122,12 @@
      commitMessagePrefix: "[deps] Platform:",
      reviewers: ["team:team-platform-dev"],
    },
+    {
+      matchUpdateTypes: ["lockFileMaintenance"],
+      description: "Platform owns lock file maintenance",
+      commitMessagePrefix: "[deps] Platform:",
+      reviewers: ["team:team-platform-dev"],
+    },
    {
      matchPackageNames: [
        "AutoMapper.Extensions.Microsoft.DependencyInjection",
@ -184,6 +157,73 @@
      commitMessagePrefix: "[deps] Vault:",
      reviewers: ["team:team-vault-dev"],
    },
+
+    // ==================== Grouping Rules ====================
+    // These come after any specific team assignment rules to ensure
+    // that grouping is not overridden by subsequent rule definitions.
+    {
+      groupName: "cargo minor",
+      matchManagers: ["cargo"],
+      matchUpdateTypes: ["minor"],
+    },
+    {
+      groupName: "dockerfile minor",
+      matchManagers: ["dockerfile"],
+      matchUpdateTypes: ["minor"],
+    },
+    {
+      groupName: "docker-compose minor",
+      matchManagers: ["docker-compose"],
+      matchUpdateTypes: ["minor"],
+    },
+    {
+      groupName: "github-action minor",
+      matchManagers: ["github-actions"],
+      matchUpdateTypes: ["minor"],
+      addLabels: ["hold"],
+    },
+    {
+      matchPackageNames: ["/^Microsoft\\.EntityFrameworkCore\\./", "/^dotnet-ef/"],
+      groupName: "EntityFrameworkCore",
+      description: "Group EntityFrameworkCore to exclude them from the dotnet monorepo preset",
+    },
+    {
+      matchPackageNames: ["https://github.com/bitwarden/sdk-internal.git"],
+      groupName: "sdk-internal",
+      dependencyDashboardApproval: true
+    },
+
+    // ==================== Dashboard Rules ====================
+    {
+      // For any Microsoft.Extensions.* and Microsoft.AspNetCore.* packages, we want to create PRs for patch updates.
+      // This overrides the default that ignores patch updates for nuget dependencies.
+      matchPackageNames: [
+          "/^Microsoft\\.Extensions\\./",
+          "/^Microsoft\\.AspNetCore\\./",
+      ],
+      matchUpdateTypes: ["patch"],
+      dependencyDashboardApproval: false,
+    },
+    {
+      // For the Platform-owned dependencies below, we have decided we will only be creating PRs
+      // for major updates, and sending minor (as well as patch, inherited from base config) to the dashboard.
+      // This rule comes AFTER grouping rules so that groups are respected while still
+      // sending minor/patch updates to the dependency dashboard for approval.
+      matchPackageNames: [
+        "AspNetCoreRateLimit",
+        "AspNetCoreRateLimit.Redis",
+        "Azure.Data.Tables",
+        "Azure.Extensions.AspNetCore.DataProtection.Blobs",
+        "Azure.Messaging.EventGrid",
+        "Azure.Messaging.ServiceBus",
+        "Azure.Storage.Blobs",
+        "Azure.Storage.Queues",
+        "LaunchDarkly.ServerSdk",
+        "Quartz",
+      ],
+      matchUpdateTypes: ["minor"],
+      dependencyDashboardApproval: true,
+    },
  ],
  ignoreDeps: ["dotnet-sdk"],
 }
--- a/.github/workflows/_move_edd_db_scripts.yml
+++ b/.github/workflows/_move_edd_db_scripts.yml
@ -38,21 +38,22 @@ jobs:
        uses: bitwarden/gh-actions/azure-logout@main

      - name: Check out branch
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          token: ${{ steps.retrieve-secrets.outputs.github-pat-bitwarden-devops-bot-repo-scope }}
+          persist-credentials: false

      - name: Get script prefix
        id: prefix
-        run: echo "prefix=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT
+        run: echo "prefix=$(date +'%Y-%m-%d')" >> "$GITHUB_OUTPUT"

      - name: Check if any files in DB transition or finalization directories
        id: check-script-existence
        run: |
          if [ -f util/Migrator/DbScripts_transition/* -o -f util/Migrator/DbScripts_finalization/* ]; then
-            echo "copy_edd_scripts=true" >> $GITHUB_OUTPUT
+            echo "copy_edd_scripts=true" >> "$GITHUB_OUTPUT"
          else
-            echo "copy_edd_scripts=false" >> $GITHUB_OUTPUT
+            echo "copy_edd_scripts=false" >> "$GITHUB_OUTPUT"
          fi

  move-scripts:
@ -67,20 +68,21 @@ jobs:
    if: ${{ needs.setup.outputs.copy_edd_scripts == 'true' }}
    steps:
      - name: Check out repo
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          fetch-depth: 0
+          persist-credentials: true

      - name: Generate branch name
        id: branch_name
        env:
          PREFIX: ${{ needs.setup.outputs.migration_filename_prefix }}
-        run: echo "branch_name=move_edd_db_scripts_$PREFIX" >> $GITHUB_OUTPUT
+        run: echo "branch_name=move_edd_db_scripts_$PREFIX" >> "$GITHUB_OUTPUT"

      - name: "Create branch"
        env:
          BRANCH: ${{ steps.branch_name.outputs.branch_name }}
-        run: git switch -c $BRANCH
+        run: git switch -c "$BRANCH"

      - name: Move scripts and finalization database schema
        id: move-files
@ -120,7 +122,7 @@ jobs:

          # sync finalization schema back to dbo, maintaining structure
          rsync -r "$src_dir/" "$dest_dir/"
-          rm -rf $src_dir/*
+          rm -rf "${src_dir}"/*

          # Replace any finalization references due to the move
          find ./src/Sql/dbo -name "*.sql" -type f -exec sed -i \
@ -131,7 +133,7 @@ jobs:
            moved_files="$moved_files \n $file"
          done

-          echo "moved_files=$moved_files" >> $GITHUB_OUTPUT
+          echo "moved_files=$moved_files" >> "$GITHUB_OUTPUT"

      - name: Log in to Azure
        uses: bitwarden/gh-actions/azure-login@main
@ -162,18 +164,20 @@ jobs:

      - name: Commit and push changes
        id: commit
+        env:
+          BRANCH_NAME: ${{ steps.branch_name.outputs.branch_name }}
        run: |
          git config --local user.email "106330231+bitwarden-devops-bot@users.noreply.github.com"
          git config --local user.name "bitwarden-devops-bot"
          if [ -n "$(git status --porcelain)" ]; then
            git add .
            git commit -m "Move EDD database scripts" -a
-            git push -u origin ${{ steps.branch_name.outputs.branch_name }}
-            echo "pr_needed=true" >> $GITHUB_OUTPUT
+            git push -u origin "${BRANCH_NAME}"
+            echo "pr_needed=true" >> "$GITHUB_OUTPUT"
          else
            echo "No changes to commit!";
-            echo "pr_needed=false" >> $GITHUB_OUTPUT
-            echo "### :mega: No changes to commit! PR was ommited." >> $GITHUB_STEP_SUMMARY
+            echo "pr_needed=false" >> "$GITHUB_OUTPUT"
+            echo "### :mega: No changes to commit! PR was ommited." >> "$GITHUB_STEP_SUMMARY"
          fi

      - name: Create PR for ${{ steps.branch_name.outputs.branch_name }}
@ -195,7 +199,7 @@ jobs:
              Files moved:
              $(echo -e "$MOVED_FILES")
              ")
-          echo "pr_url=${PR_URL}" >> $GITHUB_OUTPUT
+          echo "pr_url=${PR_URL}" >> "$GITHUB_OUTPUT"

      - name: Notify Slack about creation of PR
        if: ${{ steps.commit.outputs.pr_needed == 'true' }}
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@ -22,29 +22,30 @@ env:
 jobs:
  lint:
    name: Lint
-    runs-on: ubuntu-24.04
+    runs-on: ubuntu-22.04
    steps:
      - name: Check out repo
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          ref: ${{ github.event.pull_request.head.sha }}
+          persist-credentials: false

      - name: Set up .NET
-        uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4.3.1
+        uses: actions/setup-dotnet@2016bd2012dba4e32de620c46fe006a3ac9f0602 # v5.0.1

      - name: Verify format
        run: dotnet format --verify-no-changes

  build-artifacts:
    name: Build Docker images
-    runs-on: ubuntu-24.04
-    needs:
-      - lint
+    runs-on: ubuntu-22.04
+    needs: lint
    outputs:
      has_secrets: ${{ steps.check-secrets.outputs.has_secrets }}
    permissions:
      security-events: write
      id-token: write
+    timeout-minutes: 45
    strategy:
      fail-fast: false
      matrix:
@ -97,30 +98,31 @@ jobs:
        id: check-secrets
        run: |
          has_secrets=${{ secrets.AZURE_CLIENT_ID != '' }}
-          echo "has_secrets=$has_secrets" >> $GITHUB_OUTPUT
+          echo "has_secrets=$has_secrets" >> "$GITHUB_OUTPUT"

      - name: Check out repo
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          ref: ${{ github.event.pull_request.head.sha }}
+          persist-credentials: false

      - name: Check branch to publish
        env:
          PUBLISH_BRANCHES: "main,rc,hotfix-rc"
        id: publish-branch-check
        run: |
-          IFS="," read -a publish_branches <<< $PUBLISH_BRANCHES
+          IFS="," read -a publish_branches <<< "$PUBLISH_BRANCHES"
          if [[ " ${publish_branches[*]} " =~ " ${GITHUB_REF:11} " ]]; then
-            echo "is_publish_branch=true" >> $GITHUB_ENV
+            echo "is_publish_branch=true" >> "$GITHUB_ENV"
          else
-            echo "is_publish_branch=false" >> $GITHUB_ENV
+            echo "is_publish_branch=false" >> "$GITHUB_ENV"
          fi

      - name: Set up .NET
-        uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4.3.1
+        uses: actions/setup-dotnet@2016bd2012dba4e32de620c46fe006a3ac9f0602 # v5.0.1

      - name: Set up Node
-        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
+        uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
        with:
          cache: "npm"
          cache-dependency-path: "**/package-lock.json"
@ -157,7 +159,7 @@ jobs:
          ls -atlh ../../../

      - name: Upload project artifact
-        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
        if: ${{ matrix.dotnet }}
        with:
          name: ${{ matrix.project_name }}.zip
@ -166,10 +168,10 @@ jobs:

      ########## Set up Docker ##########
      - name: Set up QEMU emulators
-        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
+        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0

      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0

      ########## ACRs ##########
      - name: Log in to Azure
@ -182,13 +184,6 @@ jobs:
      - name: Log in to ACR - production subscription
        run: az acr login -n bitwardenprod

-      - name: Retrieve GitHub PAT secrets
-        id: retrieve-secret-pat
-        uses: bitwarden/gh-actions/get-keyvault-secrets@main
-        with:
-          keyvault: "bitwarden-ci"
-          secrets: "github-pat-bitwarden-devops-bot-repo-scope"
-
      ########## Generate image tag and build Docker image ##########
      - name: Generate Docker image tag
        id: tag
@ -209,8 +204,8 @@ jobs:
            IMAGE_TAG=dev
          fi

-          echo "image_tag=$IMAGE_TAG" >> $GITHUB_OUTPUT
-          echo "### :mega: Docker Image Tag: $IMAGE_TAG" >> $GITHUB_STEP_SUMMARY
+          echo "image_tag=$IMAGE_TAG" >> "$GITHUB_OUTPUT"
+          echo "### :mega: Docker Image Tag: $IMAGE_TAG" >> "$GITHUB_STEP_SUMMARY"

      - name: Set up project name
        id: setup
@ -218,7 +213,7 @@ jobs:
          PROJECT_NAME=$(echo "${{ matrix.project_name }}" | awk '{print tolower($0)}')
          echo "Matrix name: ${{ matrix.project_name }}"
          echo "PROJECT_NAME: $PROJECT_NAME"
-          echo "project_name=$PROJECT_NAME" >> $GITHUB_OUTPUT
+          echo "project_name=$PROJECT_NAME" >> "$GITHUB_OUTPUT"

      - name: Generate image tags(s)
        id: image-tags
@ -228,12 +223,12 @@ jobs:
          SHA: ${{ github.sha }}
        run: |
          TAGS="${_AZ_REGISTRY}/${PROJECT_NAME}:${IMAGE_TAG}"
-          echo "primary_tag=$TAGS" >> $GITHUB_OUTPUT
+          echo "primary_tag=$TAGS" >> "$GITHUB_OUTPUT"
          if [[ "${IMAGE_TAG}" == "dev" ]]; then
-            SHORT_SHA=$(git rev-parse --short ${SHA})
+            SHORT_SHA=$(git rev-parse --short "${SHA}")
            TAGS=$TAGS",${_AZ_REGISTRY}/${PROJECT_NAME}:dev-${SHORT_SHA}"
          fi
-          echo "tags=$TAGS" >> $GITHUB_OUTPUT
+          echo "tags=$TAGS" >> "$GITHUB_OUTPUT"

      - name: Build Docker image
        id: build-artifacts
@ -247,12 +242,10 @@ jobs:
            linux/arm64
          push: true
          tags: ${{ steps.image-tags.outputs.tags }}
-          secrets: |
-            "GH_PAT=${{ steps.retrieve-secret-pat.outputs.github-pat-bitwarden-devops-bot-repo-scope }}"

      - name: Install Cosign
        if: github.event_name != 'pull_request' && github.ref == 'refs/heads/main'
-        uses: sigstore/cosign-installer@3454372f43399081ed03b604cb2d021dabca52bb # v3.8.2
+        uses: sigstore/cosign-installer@7e8b541eb2e61bf99390e1afd4be13a184e9ebc5 # v3.10.1

      - name: Sign image with Cosign
        if: github.event_name != 'pull_request' && github.ref == 'refs/heads/main'
@ -260,23 +253,24 @@ jobs:
          DIGEST: ${{ steps.build-artifacts.outputs.digest }}
          TAGS: ${{ steps.image-tags.outputs.tags }}
        run: |
-          IFS="," read -a tags <<< "${TAGS}"
-          images=""
-          for tag in "${tags[@]}"; do
-            images+="${tag}@${DIGEST} "
+          IFS=',' read -r -a tags_array <<< "${TAGS}"
+          images=()
+          for tag in "${tags_array[@]}"; do
+            images+=("${tag}@${DIGEST}")
          done
-          cosign sign --yes ${images}
+          cosign sign --yes ${images[@]}
+          echo "images=${images[*]}" >> "$GITHUB_OUTPUT"

      - name: Scan Docker image
        id: container-scan
-        uses: anchore/scan-action@2c901ab7378897c01b8efaa2d0c9bf519cc64b9e # v6.2.0
+        uses: anchore/scan-action@3c9a191a0fbab285ca6b8530b5de5a642cba332f # v7.2.2
        with:
          image: ${{ steps.image-tags.outputs.primary_tag }}
          fail-build: false
          output-format: sarif

      - name: Upload Grype results to GitHub
-        uses: github/codeql-action/upload-sarif@dd746615b3b9d728a6a37ca2045b68ca76d4841a # v3.28.8
+        uses: github/codeql-action/upload-sarif@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9
        with:
          sarif_file: ${{ steps.container-scan.outputs.sarif }}
          sha: ${{ contains(github.event_name, 'pull_request') && github.event.pull_request.head.sha || github.sha }}
@ -287,19 +281,20 @@ jobs:

  upload:
    name: Upload
-    runs-on: ubuntu-24.04
+    runs-on: ubuntu-22.04
    needs: build-artifacts
    permissions:
      id-token: write
      actions: read
    steps:
      - name: Check out repo
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          ref: ${{ github.event.pull_request.head.sha }}
+          persist-credentials: false

      - name: Set up .NET
-        uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4.3.1
+        uses: actions/setup-dotnet@2016bd2012dba4e32de620c46fe006a3ac9f0602 # v5.0.1

      - name: Log in to Azure
        uses: bitwarden/gh-actions/azure-login@main
@ -309,7 +304,7 @@ jobs:
          client_id: ${{ secrets.AZURE_CLIENT_ID }}

      - name: Log in to ACR - production subscription
-        run: az acr login -n $_AZ_REGISTRY --only-show-errors
+        run: az acr login -n "$_AZ_REGISTRY" --only-show-errors

      - name: Make Docker stubs
        if: |
@ -332,26 +327,26 @@ jobs:
          STUB_OUTPUT=$(pwd)/docker-stub

          # Run setup
-          docker run -i --rm --name setup -v $STUB_OUTPUT/US:/bitwarden $SETUP_IMAGE \
+          docker run -i --rm --name setup -v "$STUB_OUTPUT/US:/bitwarden" "$SETUP_IMAGE" \
            /app/Setup -stub 1 -install 1 -domain bitwarden.example.com -os lin -cloud-region US
-          docker run -i --rm --name setup -v $STUB_OUTPUT/EU:/bitwarden $SETUP_IMAGE \
+          docker run -i --rm --name setup -v "$STUB_OUTPUT/EU:/bitwarden" "$SETUP_IMAGE" \
            /app/Setup -stub 1 -install 1 -domain bitwarden.example.com -os lin -cloud-region EU

-          sudo chown -R $(whoami):$(whoami) $STUB_OUTPUT
+          sudo chown -R "$(whoami):$(whoami)" "$STUB_OUTPUT"

          # Remove extra directories and files
-          rm -rf $STUB_OUTPUT/US/letsencrypt
-          rm -rf $STUB_OUTPUT/EU/letsencrypt
-          rm $STUB_OUTPUT/US/env/uid.env $STUB_OUTPUT/US/config.yml
-          rm $STUB_OUTPUT/EU/env/uid.env $STUB_OUTPUT/EU/config.yml
+          rm -rf "$STUB_OUTPUT/US/letsencrypt"
+          rm -rf "$STUB_OUTPUT/EU/letsencrypt"
+          rm "$STUB_OUTPUT/US/env/uid.env" "$STUB_OUTPUT/US/config.yml"
+          rm "$STUB_OUTPUT/EU/env/uid.env" "$STUB_OUTPUT/EU/config.yml"

          # Create uid environment files
-          touch $STUB_OUTPUT/US/env/uid.env
-          touch $STUB_OUTPUT/EU/env/uid.env
+          touch "$STUB_OUTPUT/US/env/uid.env"
+          touch "$STUB_OUTPUT/EU/env/uid.env"

          # Zip up the Docker stub files
-          cd docker-stub/US; zip -r ../../docker-stub-US.zip *; cd ../..
-          cd docker-stub/EU; zip -r ../../docker-stub-EU.zip *; cd ../..
+          cd docker-stub/US; zip -r ../../docker-stub-US.zip ./*; cd ../..
+          cd docker-stub/EU; zip -r ../../docker-stub-EU.zip ./*; cd ../..

      - name: Log out from Azure
        uses: bitwarden/gh-actions/azure-logout@main
@ -360,7 +355,7 @@ jobs:
        if: |
          github.event_name != 'pull_request'
          && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/rc' || github.ref == 'refs/heads/hotfix-rc')
-        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
        with:
          name: docker-stub-US.zip
          path: docker-stub-US.zip
@ -370,7 +365,7 @@ jobs:
        if: |
          github.event_name != 'pull_request'
          && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/rc' || github.ref == 'refs/heads/hotfix-rc')
-        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
        with:
          name: docker-stub-EU.zip
          path: docker-stub-EU.zip
@ -382,21 +377,21 @@ jobs:
          pwsh ./generate_openapi_files.ps1

      - name: Upload Public API Swagger artifact
-        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
        with:
          name: swagger.json
          path: api.public.json
          if-no-files-found: error

      - name: Upload Internal API Swagger artifact
-        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
        with:
          name: internal.json
          path: api.json
          if-no-files-found: error

      - name: Upload Identity Swagger artifact
-        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
        with:
          name: identity.json
          path: identity.json
@ -404,9 +399,8 @@ jobs:

  build-mssqlmigratorutility:
    name: Build MSSQL migrator utility
-    runs-on: ubuntu-24.04
-    needs:
-      - lint
+    runs-on: ubuntu-22.04
+    needs: lint
    defaults:
      run:
        shell: bash
@ -420,12 +414,13 @@ jobs:
          - win-x64
    steps:
      - name: Check out repo
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          ref: ${{ github.event.pull_request.head.sha }}
+          persist-credentials: false

      - name: Set up .NET
-        uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4.3.1
+        uses: actions/setup-dotnet@2016bd2012dba4e32de620c46fe006a3ac9f0602 # v5.0.1

      - name: Print environment
        run: |
@ -441,7 +436,7 @@ jobs:

      - name: Upload project artifact for Windows
        if: ${{ contains(matrix.target, 'win') == true }}
-        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
        with:
          name: MsSqlMigratorUtility-${{ matrix.target }}
          path: util/MsSqlMigratorUtility/obj/build-output/publish/MsSqlMigratorUtility.exe
@ -449,20 +444,19 @@ jobs:

      - name: Upload project artifact
        if: ${{ contains(matrix.target, 'win') == false }}
-        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
        with:
          name: MsSqlMigratorUtility-${{ matrix.target }}
          path: util/MsSqlMigratorUtility/obj/build-output/publish/MsSqlMigratorUtility
          if-no-files-found: error

-  self-host-build:
-    name: Trigger self-host build
+  bitwarden-lite-build:
+    name: Trigger Bitwarden lite build
    if: |
      github.event_name != 'pull_request'
      && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/rc' || github.ref == 'refs/heads/hotfix-rc')
-    runs-on: ubuntu-24.04
-    needs:
-      - build-artifacts
+    runs-on: ubuntu-22.04
+    needs: build-artifacts
    permissions:
      id-token: write
    steps:
@ -473,25 +467,34 @@ jobs:
          tenant_id: ${{ secrets.AZURE_TENANT_ID }}
          client_id: ${{ secrets.AZURE_CLIENT_ID }}

-      - name: Retrieve GitHub PAT secrets
-        id: retrieve-secret-pat
+      - name: Get Azure Key Vault secrets
+        id: get-kv-secrets
        uses: bitwarden/gh-actions/get-keyvault-secrets@main
        with:
-          keyvault: "bitwarden-ci"
-          secrets: "github-pat-bitwarden-devops-bot-repo-scope"
+          keyvault: gh-org-bitwarden
+          secrets: "BW-GHAPP-ID,BW-GHAPP-KEY"

      - name: Log out from Azure
        uses: bitwarden/gh-actions/azure-logout@main

-      - name: Trigger self-host build
-        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+      - name: Generate GH App token
+        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
+        id: app-token
        with:
-          github-token: ${{ steps.retrieve-secret-pat.outputs.github-pat-bitwarden-devops-bot-repo-scope }}
+          app-id: ${{ steps.get-kv-secrets.outputs.BW-GHAPP-ID }}
+          private-key: ${{ steps.get-kv-secrets.outputs.BW-GHAPP-KEY }}
+          owner: ${{ github.repository_owner }}
+          repositories: self-host
+
+      - name: Trigger Bitwarden lite build
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+        with:
+          github-token: ${{ steps.app-token.outputs.token }}
          script: |
            await github.rest.actions.createWorkflowDispatch({
              owner: 'bitwarden',
              repo: 'self-host',
-              workflow_id: 'build-unified.yml',
+              workflow_id: 'build-bitwarden-lite.yml',
              ref: 'main',
              inputs: {
                server_branch: process.env.GITHUB_REF
@ -499,11 +502,10 @@ jobs:
            });

  trigger-k8s-deploy:
-    name: Trigger k8s deploy
+    name: Trigger K8s deploy
    if: github.event_name != 'pull_request' && github.ref == 'refs/heads/main'
    runs-on: ubuntu-22.04
-    needs:
-      - build-artifacts
+    needs: build-artifacts
    permissions:
      id-token: write
    steps:
@ -514,20 +516,29 @@ jobs:
          tenant_id: ${{ secrets.AZURE_TENANT_ID }}
          client_id: ${{ secrets.AZURE_CLIENT_ID }}

-      - name: Retrieve GitHub PAT secrets
-        id: retrieve-secret-pat
+      - name: Get Azure Key Vault secrets
+        id: get-kv-secrets
        uses: bitwarden/gh-actions/get-keyvault-secrets@main
        with:
-          keyvault: "bitwarden-ci"
-          secrets: "github-pat-bitwarden-devops-bot-repo-scope"
+          keyvault: gh-org-bitwarden
+          secrets: "BW-GHAPP-ID,BW-GHAPP-KEY"

      - name: Log out from Azure
        uses: bitwarden/gh-actions/azure-logout@main

-      - name: Trigger k8s deploy
-        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+      - name: Generate GH App token
+        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
+        id: app-token
        with:
-          github-token: ${{ steps.retrieve-secret-pat.outputs.github-pat-bitwarden-devops-bot-repo-scope }}
+          app-id: ${{ steps.get-kv-secrets.outputs.BW-GHAPP-ID }}
+          private-key: ${{ steps.get-kv-secrets.outputs.BW-GHAPP-KEY }}
+          owner: ${{ github.repository_owner }}
+          repositories: devops
+
+      - name: Trigger K8s deploy
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+        with:
+          github-token: ${{ steps.app-token.outputs.token }}
          script: |
            await github.rest.actions.createWorkflowDispatch({
              owner: 'bitwarden',
@ -542,8 +553,7 @@ jobs:

  setup-ephemeral-environment:
    name: Setup Ephemeral Environment
-    needs:
-      - build-artifacts
+    needs: build-artifacts
    if: |
      needs.build-artifacts.outputs.has_secrets == 'true'
      && github.event_name == 'pull_request'
@ -566,7 +576,7 @@ jobs:
      - build-artifacts
      - upload
      - build-mssqlmigratorutility
-      - self-host-build
+      - bitwarden-lite-build
      - trigger-k8s-deploy
    permissions:
      id-token: write
--- a/.github/workflows/cleanup-after-pr.yml
+++ b/.github/workflows/cleanup-after-pr.yml
@ -1,71 +0,0 @@
-name: Container registry cleanup
-
-on:
-  pull_request:
-    types: [closed]
-
-env:
-  _AZ_REGISTRY: "bitwardenprod.azurecr.io"
-
-jobs:
-  build-docker:
-    name: Remove branch-specific Docker images
-    runs-on: ubuntu-22.04
-    permissions:
-      id-token: write
-    steps:
-      - name: Log in to Azure
-        uses: bitwarden/gh-actions/azure-login@main
-        with:
-          subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
-          tenant_id: ${{ secrets.AZURE_TENANT_ID }}
-          client_id: ${{ secrets.AZURE_CLIENT_ID }}
-
-      - name: Log in to Azure ACR
-        run: az acr login -n $_AZ_REGISTRY --only-show-errors
-
-      ########## Remove Docker images ##########
-      - name: Remove the Docker image from ACR
-        env:
-          REF: ${{ github.event.pull_request.head.ref }}
-          SERVICES: |
-            services:
-              - Admin
-              - Api
-              - Attachments
-              - Events
-              - EventsProcessor
-              - Icons
-              - Identity
-              - K8S-Proxy
-              - MsSql
-              - Nginx
-              - Notifications
-              - Server
-              - Setup
-              - Sso
-        run: |
-          for SERVICE in $(echo "${{ env.SERVICES }}" | yq e ".services[]" - )
-          do
-            SERVICE_NAME=$(echo $SERVICE | awk '{print tolower($0)}')
-            IMAGE_TAG=$(echo "${REF}" | sed "s#/#-#g")  # slash safe branch name
-
-            echo "[*] Checking if remote exists: $_AZ_REGISTRY/$SERVICE_NAME:$IMAGE_TAG"
-            TAG_EXISTS=$(
-              az acr repository show-tags --name $_AZ_REGISTRY --repository $SERVICE_NAME \
-              | jq --arg $TAG "$IMAGE_TAG" -e '. | any(. == "$TAG")'
-            )
-
-            if [[ "$TAG_EXISTS" == "true" ]]; then
-              echo "[*] Tag exists. Removing tag"
-              az acr repository delete --name $_AZ_REGISTRY --image $SERVICE_NAME:$IMAGE_TAG --yes
-            else
-              echo "[*] Tag does not exist. No action needed"
-            fi
-          done
-
-      - name: Log out of Docker
-        run: docker logout
-
-      - name: Log out from Azure
-        uses: bitwarden/gh-actions/azure-logout@main
--- a/.github/workflows/cleanup-rc-branch.yml
+++ b/.github/workflows/cleanup-rc-branch.yml
@ -31,10 +31,12 @@ jobs:
        uses: bitwarden/gh-actions/azure-logout@main

      - name: Checkout main
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          ref: main
          token: ${{ steps.retrieve-bot-secrets.outputs.github-pat-bitwarden-devops-bot-repo-scope }}
+          persist-credentials: false
+          fetch-depth: 0

      - name: Check if a RC branch exists
        id: branch-check
@ -43,11 +45,11 @@ jobs:
          rc_branch_check=$(git ls-remote --heads origin rc | wc -l)

          if [[ "${hotfix_rc_branch_check}" -gt 0 ]]; then
-            echo "hotfix-rc branch exists." | tee -a $GITHUB_STEP_SUMMARY
-            echo "name=hotfix-rc" >> $GITHUB_OUTPUT
+            echo "hotfix-rc branch exists." | tee -a "$GITHUB_STEP_SUMMARY"
+            echo "name=hotfix-rc" >> "$GITHUB_OUTPUT"
          elif [[ "${rc_branch_check}" -gt 0 ]]; then
-            echo "rc branch exists." | tee -a $GITHUB_STEP_SUMMARY
-            echo "name=rc" >> $GITHUB_OUTPUT
+            echo "rc branch exists." | tee -a "$GITHUB_STEP_SUMMARY"
+            echo "name=rc" >> "$GITHUB_OUTPUT"
          fi

      - name: Delete RC branch
@ -55,6 +57,6 @@ jobs:
          BRANCH_NAME: ${{ steps.branch-check.outputs.name }}
        run: |
          if ! [[ -z "$BRANCH_NAME" ]]; then
-            git push --quiet origin --delete $BRANCH_NAME
-            echo "Deleted $BRANCH_NAME branch." | tee -a $GITHUB_STEP_SUMMARY
+            git push --quiet origin --delete "$BRANCH_NAME"
+            echo "Deleted $BRANCH_NAME branch." | tee -a "$GITHUB_STEP_SUMMARY"
          fi
--- a/.github/workflows/code-references.yml
+++ b/.github/workflows/code-references.yml
@ -19,9 +19,9 @@ jobs:
        id: check-secret-access
        run: |
          if [ "${{ secrets.AZURE_CLIENT_ID }}" != '' ]; then
-            echo "available=true" >> $GITHUB_OUTPUT;
+            echo "available=true" >> "$GITHUB_OUTPUT";
          else
-            echo "available=false" >> $GITHUB_OUTPUT;
+            echo "available=false" >> "$GITHUB_OUTPUT";
          fi

  refs:
@ -36,7 +36,9 @@ jobs:

    steps:
      - name: Check out repository
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        with:
+          persist-credentials: false

      - name: Log in to Azure
        uses: bitwarden/gh-actions/azure-login@main
@ -57,7 +59,7 @@ jobs:

      - name: Collect
        id: collect
-        uses: launchdarkly/find-code-references@e3e9da201b87ada54eb4c550c14fb783385c5c8a # v2.13.0
+        uses: launchdarkly/find-code-references@89a7d362d1d4b3725fe0fe0ccd0dc69e3bdcba58 # v2.14.0
        with:
          accessToken: ${{ steps.get-kv-secrets.outputs.LD-ACCESS-TOKEN }}
          projKey: default
@ -65,14 +67,14 @@ jobs:

      - name: Add label
        if: steps.collect.outputs.any-changed == 'true'
-        run: gh pr edit $PR_NUMBER --add-label feature-flag
+        run: gh pr edit "$PR_NUMBER" --add-label feature-flag
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          PR_NUMBER: ${{ github.event.pull_request.number }}

      - name: Remove label
        if: steps.collect.outputs.any-changed == 'false'
-        run: gh pr edit $PR_NUMBER --remove-label feature-flag
+        run: gh pr edit "$PR_NUMBER" --remove-label feature-flag
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          PR_NUMBER: ${{ github.event.pull_request.number }}
--- a/.github/workflows/enforce-labels.yml
+++ b/.github/workflows/enforce-labels.yml
@ -17,5 +17,5 @@ jobs:
      - name: Check for label
        run: |
          echo "PRs with the hold, needs-qa or ephemeral-environment labels cannot be merged"
-          echo "### :x: PRs with the hold, needs-qa or ephemeral-environment labels cannot be merged" >> $GITHUB_STEP_SUMMARY
+          echo "### :x: PRs with the hold, needs-qa or ephemeral-environment labels cannot be merged" >> "$GITHUB_STEP_SUMMARY"
          exit 1
--- a/.github/workflows/ephemeral-environment.yml
+++ b/.github/workflows/ephemeral-environment.yml
@ -16,5 +16,5 @@ jobs:
    with:
      project: server
      pull_request_number: ${{ github.event.number }}
-      sync_environment: true
+      sync_environment: false
    secrets: inherit
--- a/.github/workflows/load-test.yml
+++ b/.github/workflows/load-test.yml
@ -1,13 +1,114 @@
-name: Test Stub
+name: Load test
+
 on:
+  schedule:
+    - cron: "0 0 * * 1" # Run every Monday at 00:00
  workflow_dispatch:
+    inputs:
+      test-id:
+        type: string
+        description: "Identifier label for Datadog metrics"
+        default: "server-load-test"
+      k6-test-path:
+        type: string
+        description: "Path to load test files"
+        default: "perf/load/*.js"
+      k6-flags:
+        type: string
+        description: "Additional k6 flags"
+      api-env-url:
+        type: string
+        description: "URL of the API environment"
+        default: "https://api.qa.bitwarden.pw"
+      identity-env-url:
+        type: string
+        description: "URL of the Identity environment"
+        default: "https://identity.qa.bitwarden.pw"
+
+permissions:
+  contents: read
+  id-token: write
+
+env:
+  # Secret configuration
+  AZURE_KEY_VAULT_NAME: gh-server
+  AZURE_KEY_VAULT_SECRETS: DD-API-KEY, K6-CLIENT-ID, K6-AUTH-USER-EMAIL, K6-AUTH-USER-PASSWORD-HASH
+  # Specify defaults for scheduled runs
+  TEST_ID: ${{ inputs.test-id || 'server-load-test' }}
+  K6_TEST_PATH: ${{ inputs.k6-test-path || 'perf/load/*.js' }}
+  API_ENV_URL: ${{ inputs.api-env-url || 'https://api.qa.bitwarden.pw' }}
+  IDENTITY_ENV_URL: ${{ inputs.identity-env-url || 'https://identity.qa.bitwarden.pw' }}

 jobs:
-  test:
-    permissions:
-      contents: read
-    name: Test
+  run-tests:
+    name: Run load tests
    runs-on: ubuntu-24.04
    steps:
-      - name: Test
-        run: exit 0
+      - name: Log in to Azure
+        uses: bitwarden/gh-actions/azure-login@main
+        with:
+          subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+          tenant_id: ${{ secrets.AZURE_TENANT_ID }}
+          client_id: ${{ secrets.AZURE_CLIENT_ID }}
+
+      - name: Get Azure Key Vault secrets
+        id: get-kv-secrets
+        uses: bitwarden/gh-actions/get-keyvault-secrets@main
+        with:
+          keyvault: ${{ env.AZURE_KEY_VAULT_NAME }}
+          secrets: ${{ env.AZURE_KEY_VAULT_SECRETS }}
+
+      - name: Log out of Azure
+        uses: bitwarden/gh-actions/azure-logout@main
+
+      # Datadog agent for collecting OTEL metrics from k6
+      - name: Start Datadog agent
+        env:
+          DD_API_KEY: ${{ steps.get-kv-secrets.outputs.DD-API-KEY }}
+        run: |
+          docker run --detach \
+            --name datadog-agent \
+            -p 4317:4317 \
+            -p 5555:5555 \
+            -e DD_SITE=us3.datadoghq.com \
+            -e DD_API_KEY="${DD_API_KEY}" \
+            -e DD_DOGSTATSD_NON_LOCAL_TRAFFIC=1 \
+            -e DD_OTLP_CONFIG_RECEIVER_PROTOCOLS_GRPC_ENDPOINT=0.0.0.0:4317 \
+            -e DD_HEALTH_PORT=5555 \
+            -e HOST_PROC=/proc \
+            --volume /var/run/docker.sock:/var/run/docker.sock:ro \
+            --volume /sys/fs/cgroup/:/host/sys/fs/cgroup:ro \
+            --health-cmd "curl -f http://localhost:5555/health || exit 1" \
+            --health-interval 10s \
+            --health-timeout 5s \
+            --health-retries 10 \
+            --health-start-period 30s \
+            --pid host \
+            datadog/agent:7-full@sha256:7ea933dec3b8baa8c19683b1c3f6f801dbf3291f748d9ed59234accdaac4e479
+
+      - name: Check out repo
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        with:
+          persist-credentials: false
+
+      - name: Set up k6
+        uses: grafana/setup-k6-action@ffe7d7290dfa715e48c2ccc924d068444c94bde2 # v1.1.0
+
+      - name: Run k6 tests
+        uses: grafana/run-k6-action@a15e2072ede004e8d46141e33d7f7dad8ad08d9d # v1.3.1
+        continue-on-error: false
+        env:
+          K6_OTEL_METRIC_PREFIX: k6_
+          K6_OTEL_GRPC_EXPORTER_INSECURE: true
+          # Load test specific environment variables
+          API_URL: ${{ env.API_ENV_URL }}
+          IDENTITY_URL: ${{ env.IDENTITY_ENV_URL }}
+          CLIENT_ID: ${{ steps.get-kv-secrets.outputs.K6-CLIENT-ID }}
+          AUTH_USER_EMAIL: ${{ steps.get-kv-secrets.outputs.K6-AUTH-USER-EMAIL }}
+          AUTH_USER_PASSWORD_HASH: ${{ steps.get-kv-secrets.outputs.K6-AUTH-USER-PASSWORD-HASH }}
+        with:
+          flags: >-
+            --tag test-id=${{ env.TEST_ID }}
+            -o experimental-opentelemetry
+            ${{ inputs.k6-flags }}
+          path: ${{ env.K6_TEST_PATH }}
--- a/.github/workflows/protect-files.yml
+++ b/.github/workflows/protect-files.yml
@ -31,9 +31,10 @@ jobs:
            label: "DB-migrations-changed"
    steps:
      - name: Check out repo
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          fetch-depth: 2
+          persist-credentials: false

      - name: Check for file changes
        id: check-changes
@ -43,9 +44,9 @@ jobs:
          for file in $MODIFIED_FILES
          do
            if [[ $file == *"${{ matrix.path }}"* ]]; then
-              echo "changes_detected=true" >> $GITHUB_OUTPUT
+              echo "changes_detected=true" >> "$GITHUB_OUTPUT"
              break
-            else echo "changes_detected=false" >> $GITHUB_OUTPUT
+            else echo "changes_detected=false" >> "$GITHUB_OUTPUT"
            fi
          done

--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@ -36,21 +36,23 @@ jobs:
    steps:
      - name: Version output
        id: version-output
+        env:
+          INPUT_VERSION: ${{ inputs.version }}
        run: |
-          if [[ "${{ inputs.version }}" == "latest" || "${{ inputs.version }}" == "" ]]; then
+          if [[ "${INPUT_VERSION}" == "latest" || "${INPUT_VERSION}" == "" ]]; then
            VERSION=$(curl  "https://api.github.com/repos/bitwarden/server/releases" | jq -c '.[] | select(.tag_name) | .tag_name' | head -1 | grep -ohE '20[0-9]{2}\.([1-9]|1[0-2])\.[0-9]+')
            echo "Latest Released Version: $VERSION"
-            echo "version=$VERSION" >> $GITHUB_OUTPUT
+            echo "version=$VERSION" >> "$GITHUB_OUTPUT"
          else
-            echo "Release Version: ${{ inputs.version }}"
-            echo "version=${{ inputs.version }}" >> $GITHUB_OUTPUT
+            echo "Release Version: ${INPUT_VERSION}"
+            echo "version=${INPUT_VERSION}" >> "$GITHUB_OUTPUT"
          fi

      - name: Get branch name
        id: branch
        run: |
-          BRANCH_NAME=$(basename ${{ github.ref }})
-          echo "branch-name=$BRANCH_NAME" >> $GITHUB_OUTPUT
+          BRANCH_NAME=$(basename "${GITHUB_REF}")
+          echo "branch-name=$BRANCH_NAME" >> "$GITHUB_OUTPUT"

      - name: Create GitHub deployment
        uses: chrnorm/deployment-action@55729fcebec3d284f60f5bcabbd8376437d696b1 # v2.0.7
@ -89,7 +91,6 @@ jobs:
          - project_name: Nginx
          - project_name: Notifications
          - project_name: Scim
-          - project_name: Server
          - project_name: Setup
          - project_name: Sso
    steps:
@ -104,7 +105,10 @@ jobs:
          echo "Github Release Option: $RELEASE_OPTION"

      - name: Check out repo
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        with:
+          fetch-depth: 0
+          persist-credentials: false

      - name: Set up project name
        id: setup
@ -112,7 +116,7 @@ jobs:
          PROJECT_NAME=$(echo "${{ matrix.project_name }}" | awk '{print tolower($0)}')
          echo "Matrix name: ${{ matrix.project_name }}"
          echo "PROJECT_NAME: $PROJECT_NAME"
-          echo "project_name=$PROJECT_NAME" >> $GITHUB_OUTPUT
+          echo "project_name=$PROJECT_NAME" >> "$GITHUB_OUTPUT"

      ########## ACR PROD ##########
      - name: Log in to Azure
@ -123,16 +127,16 @@ jobs:
          client_id: ${{ secrets.AZURE_CLIENT_ID }}

      - name: Log in to Azure ACR
-        run: az acr login -n $_AZ_REGISTRY --only-show-errors
+        run: az acr login -n "$_AZ_REGISTRY" --only-show-errors

      - name: Pull latest project image
        env:
          PROJECT_NAME: ${{ steps.setup.outputs.project_name }}
        run: |
          if [[ "${{ inputs.publish_type }}" == "Dry Run" ]]; then
-            docker pull $_AZ_REGISTRY/$PROJECT_NAME:latest
+            docker pull "$_AZ_REGISTRY/$PROJECT_NAME:latest"
          else
-            docker pull $_AZ_REGISTRY/$PROJECT_NAME:$_BRANCH_NAME
+            docker pull "$_AZ_REGISTRY/$PROJECT_NAME:$_BRANCH_NAME"
          fi

      - name: Tag version and latest
@ -140,10 +144,10 @@ jobs:
          PROJECT_NAME: ${{ steps.setup.outputs.project_name }}
        run: |
          if [[ "${{ inputs.publish_type }}" == "Dry Run" ]]; then
-            docker tag $_AZ_REGISTRY/$PROJECT_NAME:latest $_AZ_REGISTRY/$PROJECT_NAME:dryrun
+            docker tag "$_AZ_REGISTRY/$PROJECT_NAME:latest" "$_AZ_REGISTRY/$PROJECT_NAME:dryrun"
          else
-            docker tag $_AZ_REGISTRY/$PROJECT_NAME:$_BRANCH_NAME $_AZ_REGISTRY/$PROJECT_NAME:$_RELEASE_VERSION
-            docker tag $_AZ_REGISTRY/$PROJECT_NAME:$_BRANCH_NAME $_AZ_REGISTRY/$PROJECT_NAME:latest
+            docker tag "$_AZ_REGISTRY/$PROJECT_NAME:$_BRANCH_NAME" "$_AZ_REGISTRY/$PROJECT_NAME:$_RELEASE_VERSION"
+            docker tag "$_AZ_REGISTRY/$PROJECT_NAME:$_BRANCH_NAME" "$_AZ_REGISTRY/$PROJECT_NAME:latest"
          fi

      - name: Push version and latest image
@ -151,10 +155,10 @@ jobs:
          PROJECT_NAME: ${{ steps.setup.outputs.project_name }}
        run: |
          if [[ "${{ inputs.publish_type }}" == "Dry Run" ]]; then
-            docker push $_AZ_REGISTRY/$PROJECT_NAME:dryrun
+            docker push "$_AZ_REGISTRY/$PROJECT_NAME:dryrun"
          else
-            docker push $_AZ_REGISTRY/$PROJECT_NAME:$_RELEASE_VERSION
-            docker push $_AZ_REGISTRY/$PROJECT_NAME:latest
+            docker push "$_AZ_REGISTRY/$PROJECT_NAME:$_RELEASE_VERSION"
+            docker push "$_AZ_REGISTRY/$PROJECT_NAME:latest"
          fi

      - name: Log out of Docker
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@ -39,7 +39,10 @@ jobs:
          fi

      - name: Check out repo
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        with:
+          fetch-depth: 0
+          persist-credentials: false

      - name: Check release version
        id: version
@ -52,8 +55,8 @@ jobs:
      - name: Get branch name
        id: branch
        run: |
-          BRANCH_NAME=$(basename ${{ github.ref }})
-          echo "branch-name=$BRANCH_NAME" >> $GITHUB_OUTPUT
+          BRANCH_NAME=$(basename "${GITHUB_REF}")
+          echo "branch-name=$BRANCH_NAME" >> "$GITHUB_OUTPUT"

  release:
    name: Create GitHub release
@ -86,7 +89,7 @@ jobs:

      - name: Create release
        if: ${{ inputs.release_type != 'Dry Run' }}
-        uses: ncipollo/release-action@440c8c1cb0ed28b9f43e4d1d670870f059653174 # v1.16.0
+        uses: ncipollo/release-action@b7eabc95ff50cbeeedec83973935c8f306dfcd0b # v1.20.0
        with:
          artifacts: "docker-stub-US.zip,
            docker-stub-EU.zip,
--- a/.github/workflows/repository-management.yml
+++ b/.github/workflows/repository-management.yml
@ -30,6 +30,7 @@ jobs:
    runs-on: ubuntu-24.04
    outputs:
      branch: ${{ steps.set-branch.outputs.branch }}
+    permissions: {}
    steps:
      - name: Set branch
        id: set-branch
@ -44,7 +45,7 @@ jobs:
            BRANCH="hotfix-rc"
          fi

-          echo "branch=$BRANCH" >> $GITHUB_OUTPUT
+          echo "branch=$BRANCH" >> "$GITHUB_OUTPUT"

  bump_version:
    name: Bump Version
@ -82,17 +83,19 @@ jobs:
          version: ${{ inputs.version_number_override }}

      - name: Generate GH App token
-        uses: actions/create-github-app-token@a8d616148505b5069dccd32f177bb87d7f39123b # v2.1.1
+        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
        id: app-token
        with:
          app-id: ${{ steps.get-kv-secrets.outputs.BW-GHAPP-ID }}
          private-key: ${{ steps.get-kv-secrets.outputs.BW-GHAPP-KEY }}
+          permission-contents: write

      - name: Check out branch
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          ref: main
          token: ${{ steps.app-token.outputs.token }}
+          persist-credentials: true

      - name: Configure Git
        run: |
@ -108,7 +111,7 @@ jobs:
        id: current-version
        run: |
          CURRENT_VERSION=$(xmllint -xpath "/Project/PropertyGroup/Version/text()" Directory.Build.props)
-          echo "version=$CURRENT_VERSION" >> $GITHUB_OUTPUT
+          echo "version=$CURRENT_VERSION" >> "$GITHUB_OUTPUT"

      - name: Verify input version
        if: ${{ inputs.version_number_override != '' }}
@ -118,16 +121,15 @@ jobs:
        run: |
          # Error if version has not changed.
          if [[ "$NEW_VERSION" == "$CURRENT_VERSION" ]]; then
-            echo "Specified override version is the same as the current version." >> $GITHUB_STEP_SUMMARY
+            echo "Specified override version is the same as the current version." >> "$GITHUB_STEP_SUMMARY"
            exit 1
          fi

          # Check if version is newer.
-          printf '%s\n' "${CURRENT_VERSION}" "${NEW_VERSION}" | sort -C -V
-          if [ $? -eq 0 ]; then
+          if printf '%s\n' "${CURRENT_VERSION}" "${NEW_VERSION}" | sort -C -V; then
            echo "Version is newer than the current version."
          else
-            echo "Version is older than the current version." >> $GITHUB_STEP_SUMMARY
+            echo "Version is older than the current version." >> "$GITHUB_STEP_SUMMARY"
            exit 1
          fi

@ -158,15 +160,20 @@ jobs:
        id: set-final-version-output
        env:
          VERSION: ${{ inputs.version_number_override }}
+          BUMP_VERSION_OVERRIDE_OUTCOME: ${{ steps.bump-version-override.outcome }}
+          BUMP_VERSION_AUTOMATIC_OUTCOME: ${{ steps.bump-version-automatic.outcome }}
+          CALCULATE_NEXT_VERSION: ${{ steps.calculate-next-version.outputs.version }}
        run: |
-          if [[ "${{ steps.bump-version-override.outcome }}" = "success" ]]; then
-            echo "version=$VERSION" >> $GITHUB_OUTPUT
-          elif [[ "${{ steps.bump-version-automatic.outcome }}" = "success" ]]; then
-            echo "version=${{ steps.calculate-next-version.outputs.version }}" >> $GITHUB_OUTPUT
+          if [[ "${BUMP_VERSION_OVERRIDE_OUTCOME}" = "success" ]]; then
+            echo "version=$VERSION" >> "$GITHUB_OUTPUT"
+          elif [[ "${BUMP_VERSION_AUTOMATIC_OUTCOME}" = "success" ]]; then
+            echo "version=${CALCULATE_NEXT_VERSION}" >> "$GITHUB_OUTPUT"
          fi

      - name: Commit files
-        run: git commit -m "Bumped version to ${{ steps.set-final-version-output.outputs.version }}" -a
+        env:
+          FINAL_VERSION: ${{ steps.set-final-version-output.outputs.version }}
+        run: git commit -m "Bumped version to $FINAL_VERSION" -a

      - name: Push changes
        run: git push
@ -200,24 +207,27 @@ jobs:
        uses: bitwarden/gh-actions/azure-logout@main

      - name: Generate GH App token
-        uses: actions/create-github-app-token@a8d616148505b5069dccd32f177bb87d7f39123b # v2.1.1
+        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
        id: app-token
        with:
          app-id: ${{ steps.get-kv-secrets.outputs.BW-GHAPP-ID }}
          private-key: ${{ steps.get-kv-secrets.outputs.BW-GHAPP-KEY }}
+          permission-contents: write

      - name: Check out target ref
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          ref: ${{ inputs.target_ref }}
          token: ${{ steps.app-token.outputs.token }}
+          persist-credentials: true
+          fetch-depth: 0

      - name: Check if ${{ needs.setup.outputs.branch }} branch exists
        env:
          BRANCH_NAME: ${{ needs.setup.outputs.branch }}
        run: |
-          if [[ $(git ls-remote --heads origin $BRANCH_NAME) ]]; then
-            echo "$BRANCH_NAME already exists! Please delete $BRANCH_NAME before running again." >> $GITHUB_STEP_SUMMARY
+          if [[ $(git ls-remote --heads origin "$BRANCH_NAME") ]]; then
+            echo "$BRANCH_NAME already exists! Please delete $BRANCH_NAME before running again." >> "$GITHUB_STEP_SUMMARY"
            exit 1
          fi

@ -225,11 +235,11 @@ jobs:
        env:
          BRANCH_NAME: ${{ needs.setup.outputs.branch }}
        run: |
-          git switch --quiet --create $BRANCH_NAME
-          git push --quiet --set-upstream origin $BRANCH_NAME
+          git switch --quiet --create "$BRANCH_NAME"
+          git push --quiet --set-upstream origin "$BRANCH_NAME"

  move_edd_db_scripts:
    name: Move EDD database scripts
    needs: cut_branch
+    permissions: {}
    uses: ./.github/workflows/_move_edd_db_scripts.yml
-    secrets: inherit
--- a/.github/workflows/respond.yml
+++ b/.github/workflows/respond.yml
@ -0,0 +1,28 @@
+name: Respond
+
+on:
+  issue_comment:
+    types: [created]
+  pull_request_review_comment:
+    types: [created]
+  issues:
+    types: [opened, assigned]
+  pull_request_review:
+    types: [submitted]
+
+permissions: {}
+
+jobs:
+  respond:
+    name: Respond
+    uses: bitwarden/gh-actions/.github/workflows/_respond.yml@main
+    secrets:
+      AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+      AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
+      AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
+    permissions:
+      actions: read
+      contents: write
+      id-token: write
+      issues: write
+      pull-requests: write
--- a/.github/workflows/review-code.yml
+++ b/.github/workflows/review-code.yml
@ -0,0 +1,21 @@
+name: Code Review
+
+on:
+  pull_request:
+    types: [opened, synchronize, reopened]
+
+permissions: {}
+
+jobs:
+  review:
+    name: Review
+    uses: bitwarden/gh-actions/.github/workflows/_review-code.yml@main
+    secrets:
+      AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+      AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
+      AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
+    permissions:
+      actions: read
+      contents: read
+      id-token: write
+      pull-requests: write
--- a/.github/workflows/stale-bot.yml
+++ b/.github/workflows/stale-bot.yml
@ -15,7 +15,7 @@ jobs:
      pull-requests: write
    steps:
      - name: Check
-        uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 # v9.1.0
+        uses: actions/stale@997185467fa4f803885201cee163a9f38240193d # v10.1.1
        with:
          stale-issue-label: "needs-reply"
          stale-pr-label: "needs-changes"
--- a/.github/workflows/test-database.yml
+++ b/.github/workflows/test-database.yml
@ -44,10 +44,12 @@ jobs:
      checks: write
    steps:
      - name: Check out repo
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        with:
+          persist-credentials: false

      - name: Set up .NET
-        uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4.3.1
+        uses: actions/setup-dotnet@2016bd2012dba4e32de620c46fe006a3ac9f0602 # v5.0.1

      - name: Restore tools
        run: dotnet tool restore
@ -60,7 +62,7 @@ jobs:
          docker compose --profile mssql --profile postgres --profile mysql up -d
        shell: pwsh

-      - name: Add MariaDB for unified
+      - name: Add MariaDB for Bitwarden lite
        # Use a different port than MySQL
        run: |
          docker run --detach --name mariadb --env MARIADB_ROOT_PASSWORD=mariadb-password -p 4306:3306 mariadb:10
@ -131,7 +133,7 @@ jobs:
          # Default Sqlite
          BW_TEST_DATABASES__3__TYPE: "Sqlite"
          BW_TEST_DATABASES__3__CONNECTIONSTRING: "Data Source=${{ runner.temp }}/test.db"
-          # Unified MariaDB
+          # Bitwarden lite MariaDB
          BW_TEST_DATABASES__4__TYPE: "MySql"
          BW_TEST_DATABASES__4__CONNECTIONSTRING: "server=localhost;port=4306;uid=root;pwd=mariadb-password;database=vault_dev;Allow User Variables=true"
        run: dotnet test --logger "trx;LogFileName=infrastructure-test-results.trx" /p:CoverletOutputFormatter="cobertura" --collect:"XPlat Code Coverage"
@ -139,31 +141,31 @@ jobs:

      - name: Print MySQL Logs
        if: failure()
-        run: 'docker logs $(docker ps --quiet --filter "name=mysql")'
+        run: 'docker logs "$(docker ps --quiet --filter "name=mysql")"'

      - name: Print MariaDB Logs
        if: failure()
-        run: 'docker logs $(docker ps --quiet --filter "name=mariadb")'
+        run: 'docker logs "$(docker ps --quiet --filter "name=mariadb")"'

      - name: Print Postgres Logs
        if: failure()
-        run: 'docker logs $(docker ps --quiet --filter "name=postgres")'
+        run: 'docker logs "$(docker ps --quiet --filter "name=postgres")"'

      - name: Print MSSQL Logs
        if: failure()
-        run: 'docker logs $(docker ps --quiet --filter "name=mssql")'
+        run: 'docker logs "$(docker ps --quiet --filter "name=mssql")"'

      - name: Report test results
-        uses: dorny/test-reporter@890a17cecf52a379fc869ab770a71657660be727 # v2.1.0
+        uses: dorny/test-reporter@fe45e9537387dac839af0d33ba56eed8e24189e8 # v2.3.0
        if: ${{ github.event.pull_request.head.repo.full_name == github.repository && !cancelled() }}
        with:
          name: Test Results
-          path: "**/*-test-results.trx"
+          path: "./**/*-test-results.trx"
          reporter: dotnet-trx
          fail-on-error: true

      - name: Upload to codecov.io
-        uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 # v5.4.3
+        uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2

      - name: Docker Compose down
        if: always()
@ -176,10 +178,12 @@ jobs:
    runs-on: ubuntu-22.04
    steps:
      - name: Check out repo
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        with:
+          persist-credentials: false

      - name: Set up .NET
-        uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4.3.1
+        uses: actions/setup-dotnet@2016bd2012dba4e32de620c46fe006a3ac9f0602 # v5.0.1

      - name: Print environment
        run: |
@ -193,7 +197,7 @@ jobs:
        shell: pwsh

      - name: Upload DACPAC
-        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
        with:
          name: sql.dacpac
          path: Sql.dacpac
@ -219,7 +223,7 @@ jobs:
        shell: pwsh

      - name: Report validation results
-        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
        with:
          name: report.xml
          path: |
@ -258,3 +262,26 @@ jobs:
        working-directory: "dev"
        run: docker compose down
        shell: pwsh
+
+  validate-migration-naming:
+    name: Validate new migration naming and order
+    runs-on: ubuntu-22.04
+
+    steps:
+      - name: Check out repo
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        with:
+          fetch-depth: 0
+          persist-credentials: false
+
+      - name: Validate new migrations for pull request
+        if: github.event_name == 'pull_request'
+        run: |
+          git fetch origin main:main
+          pwsh dev/verify_migrations.ps1 -BaseRef main
+        shell: pwsh
+
+      - name: Validate new migrations for push
+        if: github.event_name == 'push' || github.event_name == 'workflow_dispatch'
+        run: pwsh dev/verify_migrations.ps1 -BaseRef HEAD~1
+        shell: pwsh
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@ -27,10 +27,20 @@ jobs:

    steps:
      - name: Check out repo
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        with:
+          persist-credentials: false

      - name: Set up .NET
-        uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4.3.1
+        uses: actions/setup-dotnet@2016bd2012dba4e32de620c46fe006a3ac9f0602 # v5.0.1
+
+      - name: Install rust
+        uses: dtolnay/rust-toolchain@f7ccc83f9ed1e5b9c81d8a67d7ad1a747e22a561 # stable
+        with:
+          toolchain: stable
+
+      - name: Cache cargo registry
+        uses: Swatinem/rust-cache@779680da715d629ac1d338a641029a2f4372abb5 # v2.8.2

      - name: Print environment
        run: |
@ -49,7 +59,7 @@ jobs:
        run: dotnet test ./bitwarden_license/test --configuration Debug --logger "trx;LogFileName=bw-test-results.trx" /p:CoverletOutputFormatter="cobertura" --collect:"XPlat Code Coverage"

      - name: Report test results
-        uses: dorny/test-reporter@890a17cecf52a379fc869ab770a71657660be727 # v2.1.0
+        uses: dorny/test-reporter@fe45e9537387dac839af0d33ba56eed8e24189e8 # v2.3.0
        if: ${{ github.event.pull_request.head.repo.full_name == github.repository && !cancelled() }}
        with:
          name: Test Results
@ -58,4 +68,4 @@ jobs:
          fail-on-error: true

      - name: Upload to codecov.io
-        uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 # v5.4.3
+        uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2
--- a/.gitignore
+++ b/.gitignore
@ -215,6 +215,9 @@ bitwarden_license/src/Sso/wwwroot/assets
 **/**.swp
 .mono
 src/Core/MailTemplates/Mjml/out
+src/Core/MailTemplates/Mjml/out-hbs
+NativeMethods.g.cs
+util/RustSdk/rust/target

 src/Admin/Admin.zip
 src/Api/Api.zip
@ -231,3 +234,7 @@ bitwarden_license/src/Sso/Sso.zip
 /identity.json
 /api.json
 /api.public.json
+.serena/
+
+# Serena
+.serena/
--- a/Directory.Build.props
+++ b/Directory.Build.props
@ -3,12 +3,10 @@
  <PropertyGroup>
    <TargetFramework>net8.0</TargetFramework>

-    <Version>2025.9.0</Version>
+    <Version>2025.12.2</Version>

    <RootNamespace>Bit.$(MSBuildProjectName)</RootNamespace>
    <ImplicitUsings>enable</ImplicitUsings>
-    <IncludeSourceRevisionInInformationalVersion>false</IncludeSourceRevisionInInformationalVersion>
-    
    <IsTestProject Condition="'$(IsTestProject)' == '' and ($(MSBuildProjectName.EndsWith('.Test')) or $(MSBuildProjectName.EndsWith('.IntegrationTest')))">true</IsTestProject>
    <Nullable Condition="'$(Nullable)' == '' and '$(IsTestProject)' == 'true'">annotations</Nullable>
    <Nullable Condition="'$(Nullable)' == '' and '$(IsTestProject)' != 'true'">enable</Nullable>
@ -18,7 +16,7 @@
  
  <PropertyGroup>
    
-    <MicrosoftNetTestSdkVersion>17.8.0</MicrosoftNetTestSdkVersion>
+    <MicrosoftNetTestSdkVersion>18.0.1</MicrosoftNetTestSdkVersion>
    
    <XUnitVersion>2.6.6</XUnitVersion>
    
@ -32,19 +30,4 @@
    
    <AutoFixtureAutoNSubstituteVersion>4.18.1</AutoFixtureAutoNSubstituteVersion>
  </PropertyGroup>
-
-  
-  <Target Name="SetSourceRevisionId" BeforeTargets="CoreGenerateAssemblyInfo">
-    <Exec Command="git describe --long --always --dirty --exclude=* --abbrev=8" ConsoleToMSBuild="True" IgnoreExitCode="False">
-      <Output PropertyName="SourceRevisionId" TaskParameter="ConsoleOutput" />
-    </Exec>
-  </Target>
-  <Target Name="WriteRevision" AfterTargets="SetSourceRevisionId">
-    <ItemGroup>
-      <AssemblyAttribute Include="System.Reflection.AssemblyMetadataAttribute">
-        <_Parameter1>GitHash</_Parameter1>
-        <_Parameter2>$(SourceRevisionId)</_Parameter2>
-      </AssemblyAttribute>
-    </ItemGroup>
-  </Target>
 </Project>
--- a/README.md
+++ b/README.md
@ -58,6 +58,42 @@ Invoke-RestMethod -OutFile bitwarden.ps1 `
 .\bitwarden.ps1 -start
 ```

+## Production Container Images
+
+<details>
+<summary><b>View Current Production Image Hashes</b> (click to expand)</summary>
+<br>
+
+### US Production Cluster
+
+| Service | Image Hash |
+|---------|------------|
+| **Admin** | ![admin](https://img.shields.io/badge/dynamic/json?url=https%3A%2F%2Fraw.githubusercontent.com%2Fbitwarden%2Fserver%2Frefs%2Fheads%2Fmetadata%2Fbadges%2Fshieldsio-badge-us.json&query=%24.admin&style=flat-square&logo=docker&logoColor=white&label=&color=2496ED) |
+| **API** | ![api](https://img.shields.io/badge/dynamic/json?url=https%3A%2F%2Fraw.githubusercontent.com%2Fbitwarden%2Fserver%2Frefs%2Fheads%2Fmetadata%2Fbadges%2Fshieldsio-badge-us.json&query=%24.api&style=flat-square&logo=docker&logoColor=white&label=&color=2496ED) |
+| **Billing** | ![billing](https://img.shields.io/badge/dynamic/json?url=https%3A%2F%2Fraw.githubusercontent.com%2Fbitwarden%2Fserver%2Frefs%2Fheads%2Fmetadata%2Fbadges%2Fshieldsio-badge-us.json&query=%24.billing&style=flat-square&logo=docker&logoColor=white&label=&color=2496ED) |
+| **Events** | ![events](https://img.shields.io/badge/dynamic/json?url=https%3A%2F%2Fraw.githubusercontent.com%2Fbitwarden%2Fserver%2Frefs%2Fheads%2Fmetadata%2Fbadges%2Fshieldsio-badge-us.json&query=%24.events&style=flat-square&logo=docker&logoColor=white&label=&color=2496ED) |
+| **EventsProcessor** | ![eventsprocessor](https://img.shields.io/badge/dynamic/json?url=https%3A%2F%2Fraw.githubusercontent.com%2Fbitwarden%2Fserver%2Frefs%2Fheads%2Fmetadata%2Fbadges%2Fshieldsio-badge-us.json&query=%24.eventsprocessor&style=flat-square&logo=docker&logoColor=white&label=&color=2496ED) |
+| **Identity** | ![identity](https://img.shields.io/badge/dynamic/json?url=https%3A%2F%2Fraw.githubusercontent.com%2Fbitwarden%2Fserver%2Frefs%2Fheads%2Fmetadata%2Fbadges%2Fshieldsio-badge-us.json&query=%24.identity&style=flat-square&logo=docker&logoColor=white&label=&color=2496ED) |
+| **Notifications** | ![notifications](https://img.shields.io/badge/dynamic/json?url=https%3A%2F%2Fraw.githubusercontent.com%2Fbitwarden%2Fserver%2Frefs%2Fheads%2Fmetadata%2Fbadges%2Fshieldsio-badge-us.json&query=%24.notifications&style=flat-square&logo=docker&logoColor=white&label=&color=2496ED) |
+| **SCIM** | ![scim](https://img.shields.io/badge/dynamic/json?url=https%3A%2F%2Fraw.githubusercontent.com%2Fbitwarden%2Fserver%2Frefs%2Fheads%2Fmetadata%2Fbadges%2Fshieldsio-badge-us.json&query=%24.scim&style=flat-square&logo=docker&logoColor=white&label=&color=2496ED) |
+| **SSO** | ![sso](https://img.shields.io/badge/dynamic/json?url=https%3A%2F%2Fraw.githubusercontent.com%2Fbitwarden%2Fserver%2Frefs%2Fheads%2Fmetadata%2Fbadges%2Fshieldsio-badge-us.json&query=%24.sso&style=flat-square&logo=docker&logoColor=white&label=&color=2496ED) |
+
+### EU Production Cluster
+
+| Service | Image Hash |
+|---------|------------|
+| **Admin** | ![admin](https://img.shields.io/badge/dynamic/json?url=https%3A%2F%2Fraw.githubusercontent.com%2Fbitwarden%2Fserver%2Frefs%2Fheads%2Fmetadata%2Fbadges%2Fshieldsio-badge-eu.json&query=%24.admin&style=flat-square&logo=docker&logoColor=white&label=&color=2496ED) |
+| **API** | ![api](https://img.shields.io/badge/dynamic/json?url=https%3A%2F%2Fraw.githubusercontent.com%2Fbitwarden%2Fserver%2Frefs%2Fheads%2Fmetadata%2Fbadges%2Fshieldsio-badge-eu.json&query=%24.api&style=flat-square&logo=docker&logoColor=white&label=&color=2496ED) |
+| **Billing** | ![billing](https://img.shields.io/badge/dynamic/json?url=https%3A%2F%2Fraw.githubusercontent.com%2Fbitwarden%2Fserver%2Frefs%2Fheads%2Fmetadata%2Fbadges%2Fshieldsio-badge-eu.json&query=%24.billing&style=flat-square&logo=docker&logoColor=white&label=&color=2496ED) |
+| **Events** | ![events](https://img.shields.io/badge/dynamic/json?url=https%3A%2F%2Fraw.githubusercontent.com%2Fbitwarden%2Fserver%2Frefs%2Fheads%2Fmetadata%2Fbadges%2Fshieldsio-badge-eu.json&query=%24.events&style=flat-square&logo=docker&logoColor=white&label=&color=2496ED) |
+| **EventsProcessor** | ![eventsprocessor](https://img.shields.io/badge/dynamic/json?url=https%3A%2F%2Fraw.githubusercontent.com%2Fbitwarden%2Fserver%2Frefs%2Fheads%2Fmetadata%2Fbadges%2Fshieldsio-badge-eu.json&query=%24.eventsprocessor&style=flat-square&logo=docker&logoColor=white&label=&color=2496ED) |
+| **Identity** | ![identity](https://img.shields.io/badge/dynamic/json?url=https%3A%2F%2Fraw.githubusercontent.com%2Fbitwarden%2Fserver%2Frefs%2Fheads%2Fmetadata%2Fbadges%2Fshieldsio-badge-eu.json&query=%24.identity&style=flat-square&logo=docker&logoColor=white&label=&color=2496ED) |
+| **Notifications** | ![notifications](https://img.shields.io/badge/dynamic/json?url=https%3A%2F%2Fraw.githubusercontent.com%2Fbitwarden%2Fserver%2Frefs%2Fheads%2Fmetadata%2Fbadges%2Fshieldsio-badge-eu.json&query=%24.notifications&style=flat-square&logo=docker&logoColor=white&label=&color=2496ED) |
+| **SCIM** | ![scim](https://img.shields.io/badge/dynamic/json?url=https%3A%2F%2Fraw.githubusercontent.com%2Fbitwarden%2Fserver%2Frefs%2Fheads%2Fmetadata%2Fbadges%2Fshieldsio-badge-eu.json&query=%24.scim&style=flat-square&logo=docker&logoColor=white&label=&color=2496ED) |
+| **SSO** | ![sso](https://img.shields.io/badge/dynamic/json?url=https%3A%2F%2Fraw.githubusercontent.com%2Fbitwarden%2Fserver%2Frefs%2Fheads%2Fmetadata%2Fbadges%2Fshieldsio-badge-eu.json&query=%24.sso&style=flat-square&logo=docker&logoColor=white&label=&color=2496ED) |
+
+</details>
+
 ## We're Hiring!

 Interested in contributing in a big way? Consider joining our team! We're hiring for many positions. Please take a look at our [Careers page](https://bitwarden.com/careers/) to see what opportunities are currently open as well as what it's like to work at Bitwarden.
--- a/bitwarden-server.sln
+++ b/bitwarden-server.sln
@ -1,7 +1,7 @@

 Microsoft Visual Studio Solution File, Format Version 12.00
-# Visual Studio Version 16
-VisualStudioVersion = 16.0.29102.190
+# Visual Studio Version 17
+VisualStudioVersion = 17.14.36705.20 d17.14
 MinimumVisualStudioVersion = 10.0.40219.1
 Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "src - AGPL", "src - AGPL", "{DD5BD056-4AAE-43EF-BBD2-0B569B8DA84D}"
 EndProject
@ -11,19 +11,19 @@ Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "test", "test", "{DD5BD056-4
 EndProject
 Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Solution Items", "Solution Items", "{458155D3-BCBC-481D-B37A-40D2ED10F0A4}"
 	ProjectSection(SolutionItems) = preProject
+		.dockerignore = .dockerignore
+		.editorconfig = .editorconfig
+		.gitignore = .gitignore
+		CONTRIBUTING.md = CONTRIBUTING.md
 		Directory.Build.props = Directory.Build.props
 		global.json = global.json
-		.gitignore = .gitignore
-		README.md = README.md
-		.editorconfig = .editorconfig
-		TRADEMARK_GUIDELINES.md = TRADEMARK_GUIDELINES.md
-		SECURITY.md = SECURITY.md
-		LICENSE_FAQ.md = LICENSE_FAQ.md
-		LICENSE_BITWARDEN.txt = LICENSE_BITWARDEN.txt
-		LICENSE_AGPL.txt = LICENSE_AGPL.txt
 		LICENSE.txt = LICENSE.txt
-		CONTRIBUTING.md = CONTRIBUTING.md
-		.dockerignore = .dockerignore
+		LICENSE_AGPL.txt = LICENSE_AGPL.txt
+		LICENSE_BITWARDEN.txt = LICENSE_BITWARDEN.txt
+		LICENSE_FAQ.md = LICENSE_FAQ.md
+		README.md = README.md
+		SECURITY.md = SECURITY.md
+		TRADEMARK_GUIDELINES.md = TRADEMARK_GUIDELINES.md
 	EndProjectSection
 EndProject
 Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Core", "src\Core\Core.csproj", "{3973D21B-A692-4B60-9B70-3631C057423A}"
@ -133,8 +133,14 @@ Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Seeder", "util\Seeder\Seede
 EndProject
 Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "DbSeederUtility", "util\DbSeederUtility\DbSeederUtility.csproj", "{17A89266-260A-4A03-81AE-C0468C6EE06E}"
 EndProject
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "RustSdk", "util\RustSdk\RustSdk.csproj", "{D1513D90-E4F5-44A9-9121-5E46E3E4A3F7}"
+EndProject
 Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "SharedWeb.Test", "test\SharedWeb.Test\SharedWeb.Test.csproj", "{AD59537D-5259-4B7A-948F-0CF58E80B359}"
 EndProject
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "SSO.Test", "bitwarden_license\test\SSO.Test\SSO.Test.csproj", "{7D98784C-C253-43FB-9873-25B65C6250D6}"
+EndProject
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Sso.IntegrationTest", "bitwarden_license\test\Sso.IntegrationTest\Sso.IntegrationTest.csproj", "{FFB09376-595B-6F93-36F0-70CAE90AFECB}"
+EndProject
 Global
 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
 		Debug|Any CPU = Debug|Any CPU
@ -339,10 +345,22 @@ Global
 		{17A89266-260A-4A03-81AE-C0468C6EE06E}.Debug|Any CPU.Build.0 = Debug|Any CPU
 		{17A89266-260A-4A03-81AE-C0468C6EE06E}.Release|Any CPU.ActiveCfg = Release|Any CPU
 		{17A89266-260A-4A03-81AE-C0468C6EE06E}.Release|Any CPU.Build.0 = Release|Any CPU
+		{D1513D90-E4F5-44A9-9121-5E46E3E4A3F7}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{D1513D90-E4F5-44A9-9121-5E46E3E4A3F7}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{D1513D90-E4F5-44A9-9121-5E46E3E4A3F7}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{D1513D90-E4F5-44A9-9121-5E46E3E4A3F7}.Release|Any CPU.Build.0 = Release|Any CPU
 		{AD59537D-5259-4B7A-948F-0CF58E80B359}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
 		{AD59537D-5259-4B7A-948F-0CF58E80B359}.Debug|Any CPU.Build.0 = Debug|Any CPU
 		{AD59537D-5259-4B7A-948F-0CF58E80B359}.Release|Any CPU.ActiveCfg = Release|Any CPU
 		{AD59537D-5259-4B7A-948F-0CF58E80B359}.Release|Any CPU.Build.0 = Release|Any CPU
+		{7D98784C-C253-43FB-9873-25B65C6250D6}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{7D98784C-C253-43FB-9873-25B65C6250D6}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{7D98784C-C253-43FB-9873-25B65C6250D6}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{7D98784C-C253-43FB-9873-25B65C6250D6}.Release|Any CPU.Build.0 = Release|Any CPU
+		{FFB09376-595B-6F93-36F0-70CAE90AFECB}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{FFB09376-595B-6F93-36F0-70CAE90AFECB}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{FFB09376-595B-6F93-36F0-70CAE90AFECB}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{FFB09376-595B-6F93-36F0-70CAE90AFECB}.Release|Any CPU.Build.0 = Release|Any CPU
 	EndGlobalSection
 	GlobalSection(SolutionProperties) = preSolution
 		HideSolutionNode = FALSE
@ -397,7 +415,10 @@ Global
 		{3631BA42-6731-4118-A917-DAA43C5032B9} = {DD5BD056-4AAE-43EF-BBD2-0B569B8DA84F}
 		{9A612EBA-1C0E-42B8-982B-62F0EE81000A} = {DD5BD056-4AAE-43EF-BBD2-0B569B8DA84E}
 		{17A89266-260A-4A03-81AE-C0468C6EE06E} = {DD5BD056-4AAE-43EF-BBD2-0B569B8DA84E}
+		{D1513D90-E4F5-44A9-9121-5E46E3E4A3F7} = {DD5BD056-4AAE-43EF-BBD2-0B569B8DA84E}
 		{AD59537D-5259-4B7A-948F-0CF58E80B359} = {DD5BD056-4AAE-43EF-BBD2-0B569B8DA84F}
+		{7D98784C-C253-43FB-9873-25B65C6250D6} = {287CFF34-BBDB-4BC4-AF88-1E19A5A4679B}
+		{FFB09376-595B-6F93-36F0-70CAE90AFECB} = {287CFF34-BBDB-4BC4-AF88-1E19A5A4679B}
 	EndGlobalSection
 	GlobalSection(ExtensibilityGlobals) = postSolution
 		SolutionGuid = {E01CBF68-2E20-425F-9EDB-E0A6510CA92F}
--- a/bitwarden_license/src/Commercial.Core/AdminConsole/Providers/RemoveOrganizationFromProviderCommand.cs
+++ b/bitwarden_license/src/Commercial.Core/AdminConsole/Providers/RemoveOrganizationFromProviderCommand.cs
@ -113,7 +113,7 @@ public class RemoveOrganizationFromProviderCommand : IRemoveOrganizationFromProv
                await _providerBillingService.CreateCustomerForClientOrganization(provider, organization);
            }

-            var customer = await _stripeAdapter.CustomerUpdateAsync(organization.GatewayCustomerId, new CustomerUpdateOptions
+            var customer = await _stripeAdapter.UpdateCustomerAsync(organization.GatewayCustomerId, new CustomerUpdateOptions
            {
                Description = string.Empty,
                Email = organization.BillingEmail,
@ -138,7 +138,7 @@ public class RemoveOrganizationFromProviderCommand : IRemoveOrganizationFromProv

            subscriptionCreateOptions.AutomaticTax = new SubscriptionAutomaticTaxOptions { Enabled = true };

-            var subscription = await _stripeAdapter.SubscriptionCreateAsync(subscriptionCreateOptions);
+            var subscription = await _stripeAdapter.CreateSubscriptionAsync(subscriptionCreateOptions);

            organization.GatewaySubscriptionId = subscription.Id;
            organization.Status = OrganizationStatusType.Created;
@ -148,22 +148,29 @@ public class RemoveOrganizationFromProviderCommand : IRemoveOrganizationFromProv
        }
        else if (organization.IsStripeEnabled())
        {
-            var subscription = await _stripeAdapter.SubscriptionGetAsync(organization.GatewaySubscriptionId);
+            var subscription = await _stripeAdapter.GetSubscriptionAsync(organization.GatewaySubscriptionId, new SubscriptionGetOptions
+            {
+                Expand = ["customer"]
+            });
            if (subscription.Status is StripeConstants.SubscriptionStatus.Canceled or StripeConstants.SubscriptionStatus.IncompleteExpired)
            {
                return;
            }

-            await _stripeAdapter.CustomerUpdateAsync(organization.GatewayCustomerId, new CustomerUpdateOptions
+            await _stripeAdapter.UpdateCustomerAsync(subscription.CustomerId, new CustomerUpdateOptions
            {
-                Coupon = string.Empty,
                Email = organization.BillingEmail
            });

-            await _stripeAdapter.SubscriptionUpdateAsync(organization.GatewaySubscriptionId, new SubscriptionUpdateOptions
+            if (subscription.Customer.Discount?.Coupon != null)
+            {
+                await _stripeAdapter.DeleteCustomerDiscountAsync(subscription.CustomerId);
+            }
+
+            await _stripeAdapter.UpdateSubscriptionAsync(organization.GatewaySubscriptionId, new SubscriptionUpdateOptions
            {
                CollectionMethod = StripeConstants.CollectionMethod.SendInvoice,
-                DaysUntilDue = 30
+                DaysUntilDue = 30,
            });

            await _subscriberService.RemovePaymentSource(organization);
--- a/bitwarden_license/src/Commercial.Core/AdminConsole/Services/ProviderService.cs
+++ b/bitwarden_license/src/Commercial.Core/AdminConsole/Services/ProviderService.cs
@ -9,12 +9,16 @@ using Bit.Core.AdminConsole.Enums.Provider;
 using Bit.Core.AdminConsole.Models.Business.Provider;
 using Bit.Core.AdminConsole.Models.Business.Tokenables;
 using Bit.Core.AdminConsole.OrganizationFeatures.Organizations;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.AutoConfirmUser;
+using Bit.Core.AdminConsole.OrganizationFeatures.Policies;
+using Bit.Core.AdminConsole.OrganizationFeatures.Policies.PolicyRequirements;
 using Bit.Core.AdminConsole.Repositories;
 using Bit.Core.AdminConsole.Services;
 using Bit.Core.Billing.Enums;
-using Bit.Core.Billing.Models;
+using Bit.Core.Billing.Payment.Models;
 using Bit.Core.Billing.Pricing;
 using Bit.Core.Billing.Providers.Services;
+using Bit.Core.Billing.Services;
 using Bit.Core.Context;
 using Bit.Core.Entities;
 using Bit.Core.Enums;
@ -35,8 +39,9 @@ public class ProviderService : IProviderService
 {
    private static readonly PlanType[] _resellerDisallowedOrganizationTypes = [
        PlanType.Free,
-        PlanType.FamiliesAnnually,
-        PlanType.FamiliesAnnually2019
+        PlanType.FamiliesAnnually2025,
+        PlanType.FamiliesAnnually2019,
+        PlanType.FamiliesAnnually
    ];

    private readonly IDataProtector _dataProtector;
@ -58,6 +63,7 @@ public class ProviderService : IProviderService
    private readonly IProviderBillingService _providerBillingService;
    private readonly IPricingClient _pricingClient;
    private readonly IProviderClientOrganizationSignUpCommand _providerClientOrganizationSignUpCommand;
+    private readonly IPolicyRequirementQuery _policyRequirementQuery;

    public ProviderService(IProviderRepository providerRepository, IProviderUserRepository providerUserRepository,
        IProviderOrganizationRepository providerOrganizationRepository, IUserRepository userRepository,
@ -67,7 +73,8 @@ public class ProviderService : IProviderService
        ICurrentContext currentContext, IStripeAdapter stripeAdapter, IFeatureService featureService,
        IDataProtectorTokenFactory<ProviderDeleteTokenable> providerDeleteTokenDataFactory,
        IApplicationCacheService applicationCacheService, IProviderBillingService providerBillingService, IPricingClient pricingClient,
-        IProviderClientOrganizationSignUpCommand providerClientOrganizationSignUpCommand)
+        IProviderClientOrganizationSignUpCommand providerClientOrganizationSignUpCommand,
+        IPolicyRequirementQuery policyRequirementQuery)
    {
        _providerRepository = providerRepository;
        _providerUserRepository = providerUserRepository;
@ -88,9 +95,10 @@ public class ProviderService : IProviderService
        _providerBillingService = providerBillingService;
        _pricingClient = pricingClient;
        _providerClientOrganizationSignUpCommand = providerClientOrganizationSignUpCommand;
+        _policyRequirementQuery = policyRequirementQuery;
    }

-    public async Task<Provider> CompleteSetupAsync(Provider provider, Guid ownerUserId, string token, string key, TaxInfo taxInfo, TokenizedPaymentSource tokenizedPaymentSource = null)
+    public async Task<Provider> CompleteSetupAsync(Provider provider, Guid ownerUserId, string token, string key, TokenizedPaymentMethod paymentMethod, BillingAddress billingAddress)
    {
        var owner = await _userService.GetUserByIdAsync(ownerUserId);
        if (owner == null)
@ -115,21 +123,19 @@ public class ProviderService : IProviderService
            throw new BadRequestException("Invalid owner.");
        }

-        if (taxInfo == null || string.IsNullOrEmpty(taxInfo.BillingAddressCountry) || string.IsNullOrEmpty(taxInfo.BillingAddressPostalCode))
+        if (_featureService.IsEnabled(FeatureFlagKeys.AutomaticConfirmUsers))
        {
-            throw new BadRequestException("Both address and postal code are required to set up your provider.");
-        }
+            var organizationAutoConfirmPolicyRequirement = await _policyRequirementQuery
+                .GetAsync<AutomaticUserConfirmationPolicyRequirement>(ownerUserId);

-        if (tokenizedPaymentSource is not
+            if (organizationAutoConfirmPolicyRequirement
+                .CannotCreateProvider())
            {
-                Type: PaymentMethodType.BankAccount or PaymentMethodType.Card or PaymentMethodType.PayPal,
-                Token: not null and not ""
-            })
-        {
-            throw new BadRequestException("A payment method is required to set up your provider.");
+                throw new BadRequestException(new UserCannotJoinProvider().Message);
+            }
        }

-        var customer = await _providerBillingService.SetupCustomer(provider, taxInfo, tokenizedPaymentSource);
+        var customer = await _providerBillingService.SetupCustomer(provider, paymentMethod, billingAddress);
        provider.GatewayCustomerId = customer.Id;
        var subscription = await _providerBillingService.SetupSubscription(provider);
        provider.GatewaySubscriptionId = subscription.Id;
@ -261,6 +267,18 @@ public class ProviderService : IProviderService
            throw new BadRequestException("User email does not match invite.");
        }

+        if (_featureService.IsEnabled(FeatureFlagKeys.AutomaticConfirmUsers))
+        {
+            var organizationAutoConfirmPolicyRequirement = await _policyRequirementQuery
+                .GetAsync<AutomaticUserConfirmationPolicyRequirement>(user.Id);
+
+            if (organizationAutoConfirmPolicyRequirement
+                .CannotJoinProvider())
+            {
+                throw new BadRequestException(new UserCannotJoinProvider().Message);
+            }
+        }
+
        providerUser.Status = ProviderUserStatusType.Accepted;
        providerUser.UserId = user.Id;
        providerUser.Email = null;
@ -306,6 +324,19 @@ public class ProviderService : IProviderService
                    throw new BadRequestException("Invalid user.");
                }

+                if (_featureService.IsEnabled(FeatureFlagKeys.AutomaticConfirmUsers))
+                {
+                    var organizationAutoConfirmPolicyRequirement = await _policyRequirementQuery
+                        .GetAsync<AutomaticUserConfirmationPolicyRequirement>(user.Id);
+
+                    if (organizationAutoConfirmPolicyRequirement
+                        .CannotJoinProvider())
+                    {
+                        result.Add(Tuple.Create(providerUser, new UserCannotJoinProvider().Message));
+                        continue;
+                    }
+                }
+
                providerUser.Status = ProviderUserStatusType.Confirmed;
                providerUser.Key = keys[providerUser.Id];
                providerUser.Email = null;
@ -440,7 +471,7 @@ public class ProviderService : IProviderService

        if (!string.IsNullOrEmpty(organization.GatewayCustomerId))
        {
-            await _stripeAdapter.CustomerUpdateAsync(organization.GatewayCustomerId, new CustomerUpdateOptions
+            await _stripeAdapter.UpdateCustomerAsync(organization.GatewayCustomerId, new CustomerUpdateOptions
            {
                Email = provider.BillingEmail
            });
@ -500,7 +531,7 @@ public class ProviderService : IProviderService

    private async Task<SubscriptionItem> GetSubscriptionItemAsync(string subscriptionId, string oldPlanId)
    {
-        var subscriptionDetails = await _stripeAdapter.SubscriptionGetAsync(subscriptionId);
+        var subscriptionDetails = await _stripeAdapter.GetSubscriptionAsync(subscriptionId);
        return subscriptionDetails.Items.Data.FirstOrDefault(item => item.Price.Id == oldPlanId);
    }

@ -510,7 +541,7 @@ public class ProviderService : IProviderService
        {
            if (subscriptionItem.Price.Id != extractedPlanType)
            {
-                await _stripeAdapter.SubscriptionUpdateAsync(subscriptionItem.Subscription,
+                await _stripeAdapter.UpdateSubscriptionAsync(subscriptionItem.Subscription,
                    new Stripe.SubscriptionUpdateOptions
                    {
                        Items = new List<Stripe.SubscriptionItemOptions>
--- a/bitwarden_license/src/Commercial.Core/Billing/Providers/Queries/GetProviderWarningsQuery.cs
+++ b/bitwarden_license/src/Commercial.Core/Billing/Providers/Queries/GetProviderWarningsQuery.cs
@ -4,12 +4,12 @@ using Bit.Core.Billing.Providers.Models;
 using Bit.Core.Billing.Providers.Queries;
 using Bit.Core.Billing.Services;
 using Bit.Core.Context;
-using Bit.Core.Services;
 using Stripe;
 using Stripe.Tax;

 namespace Bit.Commercial.Core.Billing.Providers.Queries;

+using static Bit.Core.Constants;
 using static StripeConstants;
 using SuspensionWarning = ProviderWarnings.SuspensionWarning;
 using TaxIdWarning = ProviderWarnings.TaxIdWarning;
@ -61,6 +61,11 @@ public class GetProviderWarningsQuery(
        Provider provider,
        Customer customer)
    {
+        if (customer.Address?.Country == CountryAbbreviations.UnitedStates)
+        {
+            return null;
+        }
+
        if (!currentContext.ProviderProviderAdmin(provider.Id))
        {
            return null;
@ -70,12 +75,12 @@ public class GetProviderWarningsQuery(

        // Get active and scheduled registrations
        var registrations = (await Task.WhenAll(
-                stripeAdapter.TaxRegistrationsListAsync(new RegistrationListOptions { Status = TaxRegistrationStatus.Active }),
-                stripeAdapter.TaxRegistrationsListAsync(new RegistrationListOptions { Status = TaxRegistrationStatus.Scheduled })))
+                stripeAdapter.ListTaxRegistrationsAsync(new RegistrationListOptions { Status = TaxRegistrationStatus.Active }),
+                stripeAdapter.ListTaxRegistrationsAsync(new RegistrationListOptions { Status = TaxRegistrationStatus.Scheduled })))
            .SelectMany(registrations => registrations.Data);

        // Find the matching registration for the customer
-        var registration = registrations.FirstOrDefault(registration => registration.Country == customer.Address.Country);
+        var registration = registrations.FirstOrDefault(registration => registration.Country == customer.Address?.Country);

        // If we're not registered in their country, we don't need a warning
        if (registration == null)
--- a/bitwarden_license/src/Commercial.Core/Billing/Providers/Services/BusinessUnitConverter.cs
+++ b/bitwarden_license/src/Commercial.Core/Billing/Providers/Services/BusinessUnitConverter.cs
@ -101,7 +101,7 @@ public class BusinessUnitConverter(
        providerUser.Status = ProviderUserStatusType.Confirmed;

        // Stripe requires that we clear all the custom fields from the invoice settings if we want to replace them.
-        await stripeAdapter.CustomerUpdateAsync(subscription.CustomerId, new CustomerUpdateOptions
+        await stripeAdapter.UpdateCustomerAsync(subscription.CustomerId, new CustomerUpdateOptions
        {
            InvoiceSettings = new CustomerInvoiceSettingsOptions
            {
@ -116,7 +116,7 @@ public class BusinessUnitConverter(
            ["convertedFrom"] = organization.Id.ToString()
        };

-        var updateCustomer = stripeAdapter.CustomerUpdateAsync(subscription.CustomerId, new CustomerUpdateOptions
+        var updateCustomer = stripeAdapter.UpdateCustomerAsync(subscription.CustomerId, new CustomerUpdateOptions
        {
            InvoiceSettings = new CustomerInvoiceSettingsOptions
            {
@ -148,7 +148,7 @@ public class BusinessUnitConverter(

        // Replace the existing password manager price with the new business unit price.
        var updateSubscription =
-            stripeAdapter.SubscriptionUpdateAsync(subscription.Id,
+            stripeAdapter.UpdateSubscriptionAsync(subscription.Id,
                new SubscriptionUpdateOptions
                {
                    Items = [
--- a/bitwarden_license/src/Commercial.Core/Billing/Providers/Services/ProviderBillingService.cs
+++ b/bitwarden_license/src/Commercial.Core/Billing/Providers/Services/ProviderBillingService.cs
@ -14,6 +14,7 @@ using Bit.Core.Billing.Constants;
 using Bit.Core.Billing.Enums;
 using Bit.Core.Billing.Extensions;
 using Bit.Core.Billing.Models;
+using Bit.Core.Billing.Payment.Models;
 using Bit.Core.Billing.Pricing;
 using Bit.Core.Billing.Providers.Entities;
 using Bit.Core.Billing.Providers.Models;
@ -21,10 +22,8 @@ using Bit.Core.Billing.Providers.Repositories;
 using Bit.Core.Billing.Providers.Services;
 using Bit.Core.Billing.Services;
 using Bit.Core.Billing.Tax.Models;
-using Bit.Core.Billing.Tax.Services;
 using Bit.Core.Enums;
 using Bit.Core.Exceptions;
-using Bit.Core.Models.Business;
 using Bit.Core.Repositories;
 using Bit.Core.Services;
 using Bit.Core.Settings;
@ -38,6 +37,9 @@ using Subscription = Stripe.Subscription;

 namespace Bit.Commercial.Core.Billing.Providers.Services;

+using static Constants;
+using static StripeConstants;
+
 public class ProviderBillingService(
    IBraintreeGateway braintreeGateway,
    IEventService eventService,
@ -51,8 +53,7 @@ public class ProviderBillingService(
    IProviderUserRepository providerUserRepository,
    ISetupIntentCache setupIntentCache,
    IStripeAdapter stripeAdapter,
-    ISubscriberService subscriberService,
-    ITaxService taxService)
+    ISubscriberService subscriberService)
    : IProviderBillingService
 {
    public async Task AddExistingOrganization(
@ -60,14 +61,11 @@ public class ProviderBillingService(
        Organization organization,
        string key)
    {
-        await stripeAdapter.SubscriptionUpdateAsync(organization.GatewaySubscriptionId,
-            new SubscriptionUpdateOptions
-            {
-                CancelAtPeriodEnd = false
-            });
+        await stripeAdapter.UpdateSubscriptionAsync(organization.GatewaySubscriptionId,
+            new SubscriptionUpdateOptions { CancelAtPeriodEnd = false });

        var subscription =
-            await stripeAdapter.SubscriptionCancelAsync(organization.GatewaySubscriptionId,
+            await stripeAdapter.CancelSubscriptionAsync(organization.GatewaySubscriptionId,
                new SubscriptionCancelOptions
                {
                    CancellationDetails = new SubscriptionCancellationDetailsOptions
@ -83,9 +81,9 @@ public class ProviderBillingService(

        var wasTrialing = subscription.TrialEnd.HasValue && subscription.TrialEnd.Value > now;

-        if (!wasTrialing && subscription.LatestInvoice.Status == StripeConstants.InvoiceStatus.Draft)
+        if (!wasTrialing && subscription.LatestInvoice.Status == InvoiceStatus.Draft)
        {
-            await stripeAdapter.InvoiceFinalizeInvoiceAsync(subscription.LatestInvoiceId,
+            await stripeAdapter.FinalizeInvoiceAsync(subscription.LatestInvoiceId,
                new InvoiceFinalizeOptions { AutoAdvance = true });
        }

@ -140,7 +138,7 @@ public class ProviderBillingService(

        if (clientCustomer.Balance != 0)
        {
-            await stripeAdapter.CustomerBalanceTransactionCreate(provider.GatewayCustomerId,
+            await stripeAdapter.CreateCustomerBalanceTransactionAsync(provider.GatewayCustomerId,
                new CustomerBalanceTransactionCreateOptions
                {
                    Amount = clientCustomer.Balance,
@ -184,25 +182,18 @@ public class ProviderBillingService(
        {
            Items =
            [
-                new SubscriptionItemOptions
-                {
-                    Price = newPriceId,
-                    Quantity = oldSubscriptionItem!.Quantity
-                },
-                new SubscriptionItemOptions
-                {
-                    Id = oldSubscriptionItem.Id,
-                    Deleted = true
-                }
+                new SubscriptionItemOptions { Price = newPriceId, Quantity = oldSubscriptionItem!.Quantity },
+                new SubscriptionItemOptions { Id = oldSubscriptionItem.Id, Deleted = true }
            ]
        };

-        await stripeAdapter.SubscriptionUpdateAsync(provider.GatewaySubscriptionId, updateOptions);
+        await stripeAdapter.UpdateSubscriptionAsync(provider.GatewaySubscriptionId, updateOptions);

        // Refactor later to ?ChangeClientPlanCommand? (ProviderPlanId, ProviderId, OrganizationId)
        // 1. Retrieve PlanType and PlanName for ProviderPlan
        // 2. Assign PlanType & PlanName to Organization
-        var providerOrganizations = await providerOrganizationRepository.GetManyDetailsByProviderAsync(providerPlan.ProviderId);
+        var providerOrganizations =
+            await providerOrganizationRepository.GetManyDetailsByProviderAsync(providerPlan.ProviderId);

        var newPlan = await pricingClient.GetPlanOrThrow(newPlanType);

@ -213,6 +204,7 @@ public class ProviderBillingService(
            {
                throw new ConflictException($"Organization '{providerOrganization.Id}' not found.");
            }
+
            organization.PlanType = newPlanType;
            organization.Plan = newPlan.Name;
            await organizationRepository.ReplaceAsync(organization);
@ -228,15 +220,15 @@ public class ProviderBillingService(

        if (!string.IsNullOrEmpty(organization.GatewayCustomerId))
        {
-            logger.LogWarning("Client organization ({ID}) already has a populated {FieldName}", organization.Id, nameof(organization.GatewayCustomerId));
+            logger.LogWarning("Client organization ({ID}) already has a populated {FieldName}", organization.Id,
+                nameof(organization.GatewayCustomerId));

            return;
        }

-        var providerCustomer = await subscriberService.GetCustomerOrThrow(provider, new CustomerGetOptions
-        {
-            Expand = ["tax", "tax_ids"]
-        });
+        var providerCustomer =
+            await subscriberService.GetCustomerOrThrow(provider,
+                new CustomerGetOptions { Expand = ["tax", "tax_ids"] });

        var providerTaxId = providerCustomer.TaxIds.FirstOrDefault();

@ -269,26 +261,21 @@ public class ProviderBillingService(
                    }
                ]
            },
-            Metadata = new Dictionary<string, string>
-            {
-                { "region", globalSettings.BaseServiceUri.CloudRegion }
-            },
-            TaxIdData = providerTaxId == null ? null :
-            [
-                new CustomerTaxIdDataOptions
-                {
-                    Type = providerTaxId.Type,
-                    Value = providerTaxId.Value
-                }
-            ]
+            Metadata = new Dictionary<string, string> { { "region", globalSettings.BaseServiceUri.CloudRegion } },
+            TaxIdData = providerTaxId == null
+                ? null
+                :
+                [
+                    new CustomerTaxIdDataOptions { Type = providerTaxId.Type, Value = providerTaxId.Value }
+                ]
        };

-        if (providerCustomer.Address is not { Country: Constants.CountryAbbreviations.UnitedStates })
+        if (providerCustomer.Address is not { Country: CountryAbbreviations.UnitedStates })
        {
-            customerCreateOptions.TaxExempt = StripeConstants.TaxExempt.Reverse;
+            customerCreateOptions.TaxExempt = TaxExempt.Reverse;
        }

-        var customer = await stripeAdapter.CustomerCreateAsync(customerCreateOptions);
+        var customer = await stripeAdapter.CreateCustomerAsync(customerCreateOptions);

        organization.GatewayCustomerId = customer.Id;

@ -347,9 +334,9 @@ public class ProviderBillingService(
            .Where(pair => pair.subscription is
            {
                Status:
-                    StripeConstants.SubscriptionStatus.Active or
-                    StripeConstants.SubscriptionStatus.Trialing or
-                    StripeConstants.SubscriptionStatus.PastDue
+                SubscriptionStatus.Active or
+                SubscriptionStatus.Trialing or
+                SubscriptionStatus.PastDue
            }).ToList();

        if (active.Count == 0)
@ -474,36 +461,25 @@ public class ProviderBillingService(
            // Below the limit to above the limit
            (currentlyAssignedSeatTotal <= seatMinimum && newlyAssignedSeatTotal > seatMinimum) ||
            // Above the limit to further above the limit
-            (currentlyAssignedSeatTotal > seatMinimum && newlyAssignedSeatTotal > seatMinimum && newlyAssignedSeatTotal > currentlyAssignedSeatTotal);
+            (currentlyAssignedSeatTotal > seatMinimum && newlyAssignedSeatTotal > seatMinimum &&
+             newlyAssignedSeatTotal > currentlyAssignedSeatTotal);
    }

    public async Task<Customer> SetupCustomer(
        Provider provider,
-        TaxInfo taxInfo,
-        TokenizedPaymentSource tokenizedPaymentSource)
+        TokenizedPaymentMethod paymentMethod,
+        BillingAddress billingAddress)
    {
-        ArgumentNullException.ThrowIfNull(tokenizedPaymentSource);
-
-        if (taxInfo is not
-            {
-                BillingAddressCountry: not null and not "",
-                BillingAddressPostalCode: not null and not ""
-            })
-        {
-            logger.LogError("Cannot create customer for provider ({ProviderID}) without both a country and postal code", provider.Id);
-            throw new BillingException();
-        }
-
        var options = new CustomerCreateOptions
        {
            Address = new AddressOptions
            {
-                Country = taxInfo.BillingAddressCountry,
-                PostalCode = taxInfo.BillingAddressPostalCode,
-                Line1 = taxInfo.BillingAddressLine1,
-                Line2 = taxInfo.BillingAddressLine2,
-                City = taxInfo.BillingAddressCity,
-                State = taxInfo.BillingAddressState
+                Country = billingAddress.Country,
+                PostalCode = billingAddress.PostalCode,
+                Line1 = billingAddress.Line1,
+                Line2 = billingAddress.Line2,
+                City = billingAddress.City,
+                State = billingAddress.State
            },
            Description = provider.DisplayBusinessName(),
            Email = provider.BillingEmail,
@ -520,93 +496,61 @@ public class ProviderBillingService(
                    }
                ]
            },
-            Metadata = new Dictionary<string, string>
-            {
-                { "region", globalSettings.BaseServiceUri.CloudRegion }
-            }
+            Metadata = new Dictionary<string, string> { { "region", globalSettings.BaseServiceUri.CloudRegion } },
+            TaxExempt = billingAddress.Country != CountryAbbreviations.UnitedStates ? TaxExempt.Reverse : TaxExempt.None
        };

-        if (taxInfo.BillingAddressCountry is not Constants.CountryAbbreviations.UnitedStates)
+        if (billingAddress.TaxId != null)
        {
-            options.TaxExempt = StripeConstants.TaxExempt.Reverse;
-        }
-
-        if (!string.IsNullOrEmpty(taxInfo.TaxIdNumber))
-        {
-            var taxIdType = taxService.GetStripeTaxCode(
-                taxInfo.BillingAddressCountry,
-                taxInfo.TaxIdNumber);
-
-            if (taxIdType == null)
-            {
-                logger.LogWarning("Could not infer tax ID type in country '{Country}' with tax ID '{TaxID}'.",
-                    taxInfo.BillingAddressCountry,
-                    taxInfo.TaxIdNumber);
-
-                throw new BadRequestException("billingTaxIdTypeInferenceError");
-            }
-
            options.TaxIdData =
            [
-                new CustomerTaxIdDataOptions { Type = taxIdType, Value = taxInfo.TaxIdNumber }
+                new CustomerTaxIdDataOptions { Type = billingAddress.TaxId.Code, Value = billingAddress.TaxId.Value }
            ];

-            if (taxIdType == StripeConstants.TaxIdType.SpanishNIF)
+            if (billingAddress.TaxId.Code == TaxIdType.SpanishNIF)
            {
                options.TaxIdData.Add(new CustomerTaxIdDataOptions
                {
-                    Type = StripeConstants.TaxIdType.EUVAT,
-                    Value = $"ES{taxInfo.TaxIdNumber}"
+                    Type = TaxIdType.EUVAT,
+                    Value = $"ES{billingAddress.TaxId.Value}"
                });
            }
        }

-        if (!string.IsNullOrEmpty(provider.DiscountId))
-        {
-            options.Coupon = provider.DiscountId;
-        }
-
        var braintreeCustomerId = "";

-        if (tokenizedPaymentSource is not
-            {
-                Type: PaymentMethodType.BankAccount or PaymentMethodType.Card or PaymentMethodType.PayPal,
-                Token: not null and not ""
-            })
-        {
-            logger.LogError("Cannot create customer for provider ({ProviderID}) with invalid payment method", provider.Id);
-            throw new BillingException();
-        }
-
-        var (type, token) = tokenizedPaymentSource;
-
        // ReSharper disable once SwitchStatementMissingSomeEnumCasesNoDefault
-        switch (type)
+        switch (paymentMethod.Type)
        {
-            case PaymentMethodType.BankAccount:
+            case TokenizablePaymentMethodType.BankAccount:
                {
                    var setupIntent =
-                        (await stripeAdapter.SetupIntentList(new SetupIntentListOptions { PaymentMethod = token }))
+                        (await stripeAdapter.ListSetupIntentsAsync(new SetupIntentListOptions
+                        {
+                            PaymentMethod = paymentMethod.Token
+                        }))
                        .FirstOrDefault();

                    if (setupIntent == null)
                    {
-                        logger.LogError("Cannot create customer for provider ({ProviderID}) without a setup intent for their bank account", provider.Id);
+                        logger.LogError(
+                            "Cannot create customer for provider ({ProviderID}) without a setup intent for their bank account",
+                            provider.Id);
                        throw new BillingException();
                    }

                    await setupIntentCache.Set(provider.Id, setupIntent.Id);
                    break;
                }
-            case PaymentMethodType.Card:
+            case TokenizablePaymentMethodType.Card:
                {
-                    options.PaymentMethod = token;
-                    options.InvoiceSettings.DefaultPaymentMethod = token;
+                    options.PaymentMethod = paymentMethod.Token;
+                    options.InvoiceSettings.DefaultPaymentMethod = paymentMethod.Token;
                    break;
                }
-            case PaymentMethodType.PayPal:
+            case TokenizablePaymentMethodType.PayPal:
                {
-                    braintreeCustomerId = await subscriberService.CreateBraintreeCustomer(provider, token);
+                    braintreeCustomerId = await subscriberService.CreateBraintreeCustomer(provider, paymentMethod.Token);
                    options.Metadata[BraintreeCustomerIdKey] = braintreeCustomerId;
                    break;
                }
@ -614,10 +558,9 @@ public class ProviderBillingService(

        try
        {
-            return await stripeAdapter.CustomerCreateAsync(options);
+            return await stripeAdapter.CreateCustomerAsync(options);
        }
-        catch (StripeException stripeException) when (stripeException.StripeError?.Code ==
-                                                      StripeConstants.ErrorCodes.TaxIdInvalid)
+        catch (StripeException stripeException) when (stripeException.StripeError?.Code == ErrorCodes.TaxIdInvalid)
        {
            await Revert();
            throw new BadRequestException(
@ -632,17 +575,17 @@ public class ProviderBillingService(
        async Task Revert()
        {
            // ReSharper disable once SwitchStatementMissingSomeEnumCasesNoDefault
-            switch (tokenizedPaymentSource.Type)
+            switch (paymentMethod.Type)
            {
-                case PaymentMethodType.BankAccount:
+                case TokenizablePaymentMethodType.BankAccount:
                    {
-                        var setupIntentId = await setupIntentCache.Get(provider.Id);
-                        await stripeAdapter.SetupIntentCancel(setupIntentId,
+                        var setupIntentId = await setupIntentCache.GetSetupIntentIdForSubscriber(provider.Id);
+                        await stripeAdapter.CancelSetupIntentAsync(setupIntentId,
                            new SetupIntentCancelOptions { CancellationReason = "abandoned" });
-                        await setupIntentCache.Remove(provider.Id);
+                        await setupIntentCache.RemoveSetupIntentForSubscriber(provider.Id);
                        break;
                    }
-                case PaymentMethodType.PayPal when !string.IsNullOrEmpty(braintreeCustomerId):
+                case TokenizablePaymentMethodType.PayPal when !string.IsNullOrEmpty(braintreeCustomerId):
                    {
                        await braintreeGateway.Customer.DeleteAsync(braintreeCustomerId);
                        break;
@ -661,9 +604,10 @@ public class ProviderBillingService(

        var providerPlans = await providerPlanRepository.GetByProviderId(provider.Id);

-        if (providerPlans == null || providerPlans.Count == 0)
+        if (providerPlans.Count == 0)
        {
-            logger.LogError("Cannot start subscription for provider ({ProviderID}) that has no configured plans", provider.Id);
+            logger.LogError("Cannot start subscription for provider ({ProviderID}) that has no configured plans",
+                provider.Id);

            throw new BillingException();
        }
@ -676,7 +620,9 @@ public class ProviderBillingService(

            if (!providerPlan.IsConfigured())
            {
-                logger.LogError("Cannot start subscription for provider ({ProviderID}) that has no configured {ProviderName} plan", provider.Id, plan.Name);
+                logger.LogError(
+                    "Cannot start subscription for provider ({ProviderID}) that has no configured {ProviderName} plan",
+                    provider.Id, plan.Name);
                throw new BillingException();
            }

@ -689,19 +635,17 @@ public class ProviderBillingService(
            });
        }

-        var setupIntentId = await setupIntentCache.Get(provider.Id);
+        var setupIntentId = await setupIntentCache.GetSetupIntentIdForSubscriber(provider.Id);

        var setupIntent = !string.IsNullOrEmpty(setupIntentId)
-            ? await stripeAdapter.SetupIntentGet(setupIntentId, new SetupIntentGetOptions
-            {
-                Expand = ["payment_method"]
-            })
+            ? await stripeAdapter.GetSetupIntentAsync(setupIntentId,
+                new SetupIntentGetOptions { Expand = ["payment_method"] })
            : null;

        var usePaymentMethod =
            !string.IsNullOrEmpty(customer.InvoiceSettings?.DefaultPaymentMethodId) ||
-            (customer.Metadata?.ContainsKey(BraintreeCustomerIdKey) == true) ||
-            (setupIntent?.IsUnverifiedBankAccount() == true);
+            customer.Metadata?.ContainsKey(BraintreeCustomerIdKey) == true ||
+            setupIntent?.IsUnverifiedBankAccount() == true;

        int? trialPeriodDays = provider.Type switch
        {
@ -712,30 +656,28 @@ public class ProviderBillingService(

        var subscriptionCreateOptions = new SubscriptionCreateOptions
        {
-            CollectionMethod = usePaymentMethod ?
-                StripeConstants.CollectionMethod.ChargeAutomatically : StripeConstants.CollectionMethod.SendInvoice,
+            CollectionMethod =
+                usePaymentMethod
+                    ? CollectionMethod.ChargeAutomatically
+                    : CollectionMethod.SendInvoice,
            Customer = customer.Id,
            DaysUntilDue = usePaymentMethod ? null : 30,
+            Discounts = !string.IsNullOrEmpty(provider.DiscountId) ? [new SubscriptionDiscountOptions { Coupon = provider.DiscountId }] : null,
            Items = subscriptionItemOptionsList,
-            Metadata = new Dictionary<string, string>
-            {
-                { "providerId", provider.Id.ToString() }
-            },
+            Metadata = new Dictionary<string, string> { { "providerId", provider.Id.ToString() } },
            OffSession = true,
-            ProrationBehavior = StripeConstants.ProrationBehavior.CreateProrations,
-            TrialPeriodDays = trialPeriodDays
+            ProrationBehavior = ProrationBehavior.CreateProrations,
+            TrialPeriodDays = trialPeriodDays,
+            AutomaticTax = new SubscriptionAutomaticTaxOptions { Enabled = true }
        };

-
-        subscriptionCreateOptions.AutomaticTax = new SubscriptionAutomaticTaxOptions { Enabled = true };
-
        try
        {
-            var subscription = await stripeAdapter.SubscriptionCreateAsync(subscriptionCreateOptions);
+            var subscription = await stripeAdapter.CreateSubscriptionAsync(subscriptionCreateOptions);

            if (subscription is
                {
-                    Status: StripeConstants.SubscriptionStatus.Active or StripeConstants.SubscriptionStatus.Trialing
+                    Status: SubscriptionStatus.Active or SubscriptionStatus.Trialing
                })
            {
                return subscription;
@ -749,9 +691,11 @@ public class ProviderBillingService(

            throw new BillingException();
        }
-        catch (StripeException stripeException) when (stripeException.StripeError?.Code == StripeConstants.ErrorCodes.CustomerTaxLocationInvalid)
+        catch (StripeException stripeException) when (stripeException.StripeError?.Code ==
+                                                      ErrorCodes.CustomerTaxLocationInvalid)
        {
-            throw new BadRequestException("Your location wasn't recognized. Please ensure your country and postal code are valid.");
+            throw new BadRequestException(
+                "Your location wasn't recognized. Please ensure your country and postal code are valid.");
        }
    }

@ -764,8 +708,8 @@ public class ProviderBillingService(
            subscriberService.UpdatePaymentSource(provider, tokenizedPaymentSource),
            subscriberService.UpdateTaxInformation(provider, taxInformation));

-        await stripeAdapter.SubscriptionUpdateAsync(provider.GatewaySubscriptionId,
-            new SubscriptionUpdateOptions { CollectionMethod = StripeConstants.CollectionMethod.ChargeAutomatically });
+        await stripeAdapter.UpdateSubscriptionAsync(provider.GatewaySubscriptionId,
+            new SubscriptionUpdateOptions { CollectionMethod = CollectionMethod.ChargeAutomatically });
    }

    public async Task UpdateSeatMinimums(UpdateProviderSeatMinimumsCommand command)
@ -847,11 +791,49 @@ public class ProviderBillingService(

        if (subscriptionItemOptionsList.Count > 0)
        {
-            await stripeAdapter.SubscriptionUpdateAsync(provider.GatewaySubscriptionId,
+            await stripeAdapter.UpdateSubscriptionAsync(provider.GatewaySubscriptionId,
                new SubscriptionUpdateOptions { Items = subscriptionItemOptionsList });
        }
    }

+    public async Task UpdateProviderNameAndEmail(Provider provider)
+    {
+        if (string.IsNullOrWhiteSpace(provider.GatewayCustomerId))
+        {
+            logger.LogWarning(
+                "Provider ({ProviderId}) has no Stripe customer to update",
+                provider.Id);
+            return;
+        }
+
+        var newDisplayName = provider.DisplayName();
+
+        // Provider.DisplayName() can return null - handle gracefully
+        if (string.IsNullOrWhiteSpace(newDisplayName))
+        {
+            logger.LogWarning(
+                "Provider ({ProviderId}) has no name to update in Stripe",
+                provider.Id);
+            return;
+        }
+
+        await stripeAdapter.UpdateCustomerAsync(provider.GatewayCustomerId,
+            new CustomerUpdateOptions
+            {
+                Email = provider.BillingEmail,
+                Description = newDisplayName,
+                InvoiceSettings = new CustomerInvoiceSettingsOptions
+                {
+                    CustomFields = [
+                        new CustomerInvoiceSettingsCustomFieldOptions
+                        {
+                            Name = provider.SubscriberType(),
+                            Value = newDisplayName
+                        }]
+                },
+            });
+    }
+
    private Func<int, Task> CurrySeatScalingUpdate(
        Provider provider,
        ProviderPlan providerPlan,
@ -863,15 +845,11 @@ public class ProviderBillingService(

        var item = subscription.Items.First(item => item.Price.Id == priceId);

-        await stripeAdapter.SubscriptionUpdateAsync(provider.GatewaySubscriptionId, new SubscriptionUpdateOptions
+        await stripeAdapter.UpdateSubscriptionAsync(provider.GatewaySubscriptionId, new SubscriptionUpdateOptions
        {
-            Items = [
-                new SubscriptionItemOptions
-                {
-                    Id = item.Id,
-                    Price = priceId,
-                    Quantity = newlySubscribedSeats
-                }
+            Items =
+            [
+                new SubscriptionItemOptions { Id = item.Id, Price = priceId, Quantity = newlySubscribedSeats }
            ]
        });

@ -894,7 +872,8 @@ public class ProviderBillingService(
        var plan = await pricingClient.GetPlanOrThrow(planType);

        return providerOrganizations
-            .Where(providerOrganization => providerOrganization.Plan == plan.Name && providerOrganization.Status == OrganizationStatusType.Managed)
+            .Where(providerOrganization => providerOrganization.Plan == plan.Name &&
+                                           providerOrganization.Status == OrganizationStatusType.Managed)
            .Sum(providerOrganization => providerOrganization.Seats ?? 0);
    }

--- a/bitwarden_license/src/Commercial.Core/Commercial.Core.csproj
+++ b/bitwarden_license/src/Commercial.Core/Commercial.Core.csproj
@ -5,7 +5,7 @@
  </ItemGroup>

  <ItemGroup>
-    <PackageReference Include="CsvHelper" Version="33.0.1" />
+    <PackageReference Include="CsvHelper" Version="33.1.0" />
  </ItemGroup>

 </Project>
--- a/bitwarden_license/src/Commercial.Core/SecretsManager/Commands/ServiceAccounts/CreateServiceAccountCommand.cs
+++ b/bitwarden_license/src/Commercial.Core/SecretsManager/Commands/ServiceAccounts/CreateServiceAccountCommand.cs
@ -1,10 +1,13 @@
 // FIXME: Update this file to be null safe and then delete the line below
 #nullable disable

+using Bit.Core.Context;
+using Bit.Core.Enums;
 using Bit.Core.Repositories;
 using Bit.Core.SecretsManager.Commands.ServiceAccounts.Interfaces;
 using Bit.Core.SecretsManager.Entities;
 using Bit.Core.SecretsManager.Repositories;
+using Bit.Core.Services;

 namespace Bit.Commercial.Core.SecretsManager.Commands.ServiceAccounts;

@ -13,15 +16,21 @@ public class CreateServiceAccountCommand : ICreateServiceAccountCommand
    private readonly IAccessPolicyRepository _accessPolicyRepository;
    private readonly IOrganizationUserRepository _organizationUserRepository;
    private readonly IServiceAccountRepository _serviceAccountRepository;
+    private readonly IEventService _eventService;
+    private readonly ICurrentContext _currentContext;

    public CreateServiceAccountCommand(
        IAccessPolicyRepository accessPolicyRepository,
        IOrganizationUserRepository organizationUserRepository,
-        IServiceAccountRepository serviceAccountRepository)
+        IServiceAccountRepository serviceAccountRepository,
+        IEventService eventService,
+        ICurrentContext currentContext)
    {
        _accessPolicyRepository = accessPolicyRepository;
        _organizationUserRepository = organizationUserRepository;
        _serviceAccountRepository = serviceAccountRepository;
+        _eventService = eventService;
+        _currentContext = currentContext;
    }

    public async Task<ServiceAccount> CreateAsync(ServiceAccount serviceAccount, Guid userId)
@ -38,6 +47,7 @@ public class CreateServiceAccountCommand : ICreateServiceAccountCommand
            Write = true,
        };
        await _accessPolicyRepository.CreateManyAsync(new List<BaseAccessPolicy> { accessPolicy });
+        await _eventService.LogServiceAccountPeopleEventAsync(user.Id, accessPolicy, EventType.ServiceAccount_UserAdded, _currentContext.IdentityClientType);
        return createdServiceAccount;
    }
 }
--- a/bitwarden_license/src/Commercial.Infrastructure.EntityFramework/SecretsManager/Repositories/SecretVersionRepository.cs
+++ b/bitwarden_license/src/Commercial.Infrastructure.EntityFramework/SecretsManager/Repositories/SecretVersionRepository.cs
@ -0,0 +1,94 @@
+using AutoMapper;
+using Bit.Core.SecretsManager.Repositories;
+using Bit.Infrastructure.EntityFramework.Repositories;
+using Bit.Infrastructure.EntityFramework.SecretsManager.Models;
+using Microsoft.EntityFrameworkCore;
+using Microsoft.Extensions.DependencyInjection;
+
+namespace Bit.Commercial.Infrastructure.EntityFramework.SecretsManager.Repositories;
+
+public class SecretVersionRepository : Repository<Core.SecretsManager.Entities.SecretVersion, SecretVersion, Guid>, ISecretVersionRepository
+{
+    public SecretVersionRepository(IServiceScopeFactory serviceScopeFactory, IMapper mapper)
+        : base(serviceScopeFactory, mapper, db => db.SecretVersion)
+    { }
+
+    public override async Task<Core.SecretsManager.Entities.SecretVersion?> GetByIdAsync(Guid id)
+    {
+        using var scope = ServiceScopeFactory.CreateScope();
+        var dbContext = GetDatabaseContext(scope);
+        var secretVersion = await dbContext.SecretVersion
+            .Where(sv => sv.Id == id)
+            .FirstOrDefaultAsync();
+        return Mapper.Map<Core.SecretsManager.Entities.SecretVersion>(secretVersion);
+    }
+
+    public async Task<IEnumerable<Core.SecretsManager.Entities.SecretVersion>> GetManyBySecretIdAsync(Guid secretId)
+    {
+        using var scope = ServiceScopeFactory.CreateScope();
+        var dbContext = GetDatabaseContext(scope);
+        var secretVersions = await dbContext.SecretVersion
+            .Where(sv => sv.SecretId == secretId)
+            .OrderByDescending(sv => sv.VersionDate)
+            .ToListAsync();
+        return Mapper.Map<List<Core.SecretsManager.Entities.SecretVersion>>(secretVersions);
+    }
+
+    public async Task<IEnumerable<Core.SecretsManager.Entities.SecretVersion>> GetManyByIdsAsync(IEnumerable<Guid> ids)
+    {
+        using var scope = ServiceScopeFactory.CreateScope();
+        var dbContext = GetDatabaseContext(scope);
+        var versionIds = ids.ToList();
+        var secretVersions = await dbContext.SecretVersion
+            .Where(sv => versionIds.Contains(sv.Id))
+            .OrderByDescending(sv => sv.VersionDate)
+            .ToListAsync();
+        return Mapper.Map<List<Core.SecretsManager.Entities.SecretVersion>>(secretVersions);
+    }
+
+    public override async Task<Core.SecretsManager.Entities.SecretVersion> CreateAsync(Core.SecretsManager.Entities.SecretVersion secretVersion)
+    {
+        const int maxVersionsToKeep = 10;
+
+        await using var scope = ServiceScopeFactory.CreateAsyncScope();
+        var dbContext = GetDatabaseContext(scope);
+
+        await using var transaction = await dbContext.Database.BeginTransactionAsync();
+
+        // Get the IDs of the most recent (maxVersionsToKeep - 1) versions to keep
+        var versionsToKeepIds = await dbContext.SecretVersion
+            .Where(sv => sv.SecretId == secretVersion.SecretId)
+            .OrderByDescending(sv => sv.VersionDate)
+            .Take(maxVersionsToKeep - 1)
+            .Select(sv => sv.Id)
+            .ToListAsync();
+
+        // Delete all versions for this secret that are not in the "keep" list
+        if (versionsToKeepIds.Any())
+        {
+            await dbContext.SecretVersion
+                .Where(sv => sv.SecretId == secretVersion.SecretId && !versionsToKeepIds.Contains(sv.Id))
+                .ExecuteDeleteAsync();
+        }
+
+        secretVersion.SetNewId();
+        var entity = Mapper.Map<SecretVersion>(secretVersion);
+
+        await dbContext.AddAsync(entity);
+        await dbContext.SaveChangesAsync();
+        await transaction.CommitAsync();
+
+        return secretVersion;
+    }
+
+    public async Task DeleteManyByIdAsync(IEnumerable<Guid> ids)
+    {
+        await using var scope = ServiceScopeFactory.CreateAsyncScope();
+        var dbContext = GetDatabaseContext(scope);
+
+        var secretVersionIds = ids.ToList();
+        await dbContext.SecretVersion
+            .Where(sv => secretVersionIds.Contains(sv.Id))
+            .ExecuteDeleteAsync();
+    }
+}
--- a/bitwarden_license/src/Commercial.Infrastructure.EntityFramework/SecretsManager/SecretsManagerEFServiceCollectionExtensions.cs
+++ b/bitwarden_license/src/Commercial.Infrastructure.EntityFramework/SecretsManager/SecretsManagerEFServiceCollectionExtensions.cs
@ -10,6 +10,7 @@ public static class SecretsManagerEfServiceCollectionExtensions
    {
        services.AddSingleton<IAccessPolicyRepository, AccessPolicyRepository>();
        services.AddSingleton<ISecretRepository, SecretRepository>();
+        services.AddSingleton<ISecretVersionRepository, SecretVersionRepository>();
        services.AddSingleton<IProjectRepository, ProjectRepository>();
        services.AddSingleton<IServiceAccountRepository, ServiceAccountRepository>();
    }
--- a/bitwarden_license/src/Scim/Controllers/v2/GroupsController.cs
+++ b/bitwarden_license/src/Scim/Controllers/v2/GroupsController.cs
@ -61,17 +61,15 @@ public class GroupsController : Controller
    [HttpGet("")]
    public async Task<IActionResult> Get(
        Guid organizationId,
-        [FromQuery] string filter,
-        [FromQuery] int? count,
-        [FromQuery] int? startIndex)
+        [FromQuery] GetGroupsQueryParamModel model)
    {
-        var groupsListQueryResult = await _getGroupsListQuery.GetGroupsListAsync(organizationId, filter, count, startIndex);
+        var groupsListQueryResult = await _getGroupsListQuery.GetGroupsListAsync(organizationId, model);
        var scimListResponseModel = new ScimListResponseModel<ScimGroupResponseModel>
        {
            Resources = groupsListQueryResult.groupList.Select(g => new ScimGroupResponseModel(g)).ToList(),
-            ItemsPerPage = count.GetValueOrDefault(groupsListQueryResult.groupList.Count()),
+            ItemsPerPage = model.Count,
            TotalResults = groupsListQueryResult.totalResults,
-            StartIndex = startIndex.GetValueOrDefault(1),
+            StartIndex = model.StartIndex,
        };
        return Ok(scimListResponseModel);
    }
--- a/bitwarden_license/src/Scim/Controllers/v2/UsersController.cs
+++ b/bitwarden_license/src/Scim/Controllers/v2/UsersController.cs
@ -3,6 +3,7 @@

 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Interfaces;
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.RestoreUser.v1;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.RevokeUser.v1;
 using Bit.Core.Enums;
 using Bit.Core.Exceptions;
 using Bit.Core.Repositories;
--- a/bitwarden_license/src/Scim/Groups/GetGroupsListQuery.cs
+++ b/bitwarden_license/src/Scim/Groups/GetGroupsListQuery.cs
@ -4,6 +4,7 @@
 using Bit.Core.AdminConsole.Entities;
 using Bit.Core.AdminConsole.Repositories;
 using Bit.Scim.Groups.Interfaces;
+using Bit.Scim.Models;

 namespace Bit.Scim.Groups;

@ -16,10 +17,16 @@ public class GetGroupsListQuery : IGetGroupsListQuery
        _groupRepository = groupRepository;
    }

-    public async Task<(IEnumerable<Group> groupList, int totalResults)> GetGroupsListAsync(Guid organizationId, string filter, int? count, int? startIndex)
+    public async Task<(IEnumerable<Group> groupList, int totalResults)> GetGroupsListAsync(
+        Guid organizationId, GetGroupsQueryParamModel groupQueryParams)
    {
        string nameFilter = null;
        string externalIdFilter = null;
+
+        int count = groupQueryParams.Count;
+        int startIndex = groupQueryParams.StartIndex;
+        string filter = groupQueryParams.Filter;
+
        if (!string.IsNullOrWhiteSpace(filter))
        {
            if (filter.StartsWith("displayName eq "))
@ -53,11 +60,11 @@ public class GetGroupsListQuery : IGetGroupsListQuery
            }
            totalResults = groupList.Count;
        }
-        else if (string.IsNullOrWhiteSpace(filter) && startIndex.HasValue && count.HasValue)
+        else if (string.IsNullOrWhiteSpace(filter))
        {
            groupList = groups.OrderBy(g => g.Name)
-                .Skip(startIndex.Value - 1)
-                .Take(count.Value)
+                .Skip(startIndex - 1)
+                .Take(count)
                .ToList();
            totalResults = groups.Count;
        }
--- a/bitwarden_license/src/Scim/Groups/Interfaces/IGetGroupsListQuery.cs
+++ b/bitwarden_license/src/Scim/Groups/Interfaces/IGetGroupsListQuery.cs
@ -1,8 +1,9 @@
 using Bit.Core.AdminConsole.Entities;
+using Bit.Scim.Models;

 namespace Bit.Scim.Groups.Interfaces;

 public interface IGetGroupsListQuery
 {
-    Task<(IEnumerable<Group> groupList, int totalResults)> GetGroupsListAsync(Guid organizationId, string filter, int? count, int? startIndex);
+    Task<(IEnumerable<Group> groupList, int totalResults)> GetGroupsListAsync(Guid organizationId, GetGroupsQueryParamModel model);
 }
--- a/bitwarden_license/src/Scim/Models/GetGroupsQueryParamModel.cs
+++ b/bitwarden_license/src/Scim/Models/GetGroupsQueryParamModel.cs
@ -0,0 +1,14 @@
+using System.ComponentModel.DataAnnotations;
+
+namespace Bit.Scim.Models;
+
+public class GetGroupsQueryParamModel
+{
+    public string Filter { get; init; } = string.Empty;
+
+    [Range(1, int.MaxValue)]
+    public int Count { get; init; } = 50;
+
+    [Range(1, int.MaxValue)]
+    public int StartIndex { get; init; } = 1;
+}
--- a/bitwarden_license/src/Scim/Models/GetUsersQueryParamModel.cs
+++ b/bitwarden_license/src/Scim/Models/GetUsersQueryParamModel.cs
@ -1,5 +1,7 @@
 using System.ComponentModel.DataAnnotations;

+namespace Bit.Scim.Models;
+
 public class GetUsersQueryParamModel
 {
    public string Filter { get; init; } = string.Empty;
--- a/bitwarden_license/src/Scim/Program.cs
+++ b/bitwarden_license/src/Scim/Program.cs
@ -11,21 +11,8 @@ public class Program
            .ConfigureWebHostDefaults(webBuilder =>
            {
                webBuilder.UseStartup<Startup>();
-                webBuilder.ConfigureLogging((hostingContext, logging) =>
-                    logging.AddSerilog(hostingContext, (e, globalSettings) =>
-                    {
-                        var context = e.Properties["SourceContext"].ToString();
-
-                        if (e.Properties.TryGetValue("RequestPath", out var requestPath) &&
-                            !string.IsNullOrWhiteSpace(requestPath?.ToString()) &&
-                            (context.Contains(".Server.Kestrel") || context.Contains(".Core.IISHttpServer")))
-                        {
-                            return false;
-                        }
-
-                        return e.Level >= globalSettings.MinLogLevel.ScimSettings.Default;
-                    }));
            })
+            .AddSerilogFileLogging()
            .Build()
            .Run();
    }
--- a/bitwarden_license/src/Scim/Startup.cs
+++ b/bitwarden_license/src/Scim/Startup.cs
@ -94,11 +94,8 @@ public class Startup
    public void Configure(
        IApplicationBuilder app,
        IWebHostEnvironment env,
-        IHostApplicationLifetime appLifetime,
        GlobalSettings globalSettings)
    {
-        app.UseSerilog(env, appLifetime, globalSettings);
-
        // Add general security headers
        app.UseMiddleware<SecurityHeadersMiddleware>();

--- a/bitwarden_license/src/Scim/Users/GetUsersListQuery.cs
+++ b/bitwarden_license/src/Scim/Users/GetUsersListQuery.cs
@ -3,6 +3,7 @@

 using Bit.Core.Models.Data.Organizations.OrganizationUsers;
 using Bit.Core.Repositories;
+using Bit.Scim.Models;
 using Bit.Scim.Users.Interfaces;

 namespace Bit.Scim.Users;
--- a/bitwarden_license/src/Scim/Users/Interfaces/IGetUsersListQuery.cs
+++ b/bitwarden_license/src/Scim/Users/Interfaces/IGetUsersListQuery.cs
@ -1,4 +1,5 @@
 using Bit.Core.Models.Data.Organizations.OrganizationUsers;
+using Bit.Scim.Models;

 namespace Bit.Scim.Users.Interfaces;

--- a/bitwarden_license/src/Scim/Users/PatchUserCommand.cs
+++ b/bitwarden_license/src/Scim/Users/PatchUserCommand.cs
@ -1,5 +1,5 @@
-using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Interfaces;
-using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.RestoreUser.v1;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.RestoreUser.v1;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.RevokeUser.v1;
 using Bit.Core.Enums;
 using Bit.Core.Exceptions;
 using Bit.Core.Repositories;
--- a/bitwarden_license/src/Scim/Users/PostUserCommand.cs
+++ b/bitwarden_license/src/Scim/Users/PostUserCommand.cs
@ -8,6 +8,7 @@ using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.E
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Models;
 using Bit.Core.AdminConsole.Utilities.Commands;
 using Bit.Core.Billing.Pricing;
+using Bit.Core.Billing.Services;
 using Bit.Core.Enums;
 using Bit.Core.Exceptions;
 using Bit.Core.Models.Data.Organizations.OrganizationUsers;
@ -24,7 +25,7 @@ public class PostUserCommand(
    IOrganizationRepository organizationRepository,
    IOrganizationUserRepository organizationUserRepository,
    IOrganizationService organizationService,
-    IPaymentService paymentService,
+    IStripePaymentService paymentService,
    IScimContext scimContext,
    IFeatureService featureService,
    IInviteOrganizationUsersCommand inviteOrganizationUsersCommand,
--- a/bitwarden_license/src/Scim/appsettings.Development.json
+++ b/bitwarden_license/src/Scim/appsettings.Development.json
@ -30,6 +30,7 @@
    },
    "storage": {
      "connectionString": "UseDevelopmentStorage=true"
-    }
+    },
+    "pricingUri": "https://billingpricing.qa.bitwarden.pw"
  }
 }
--- a/bitwarden_license/src/Scim/appsettings.json
+++ b/bitwarden_license/src/Scim/appsettings.json
@ -30,9 +30,6 @@
      "connectionString": "SECRET",
      "applicationCacheTopicName": "SECRET"
    },
-    "sentry": {
-      "dsn": "SECRET"
-    },
    "notificationHub": {
      "connectionString": "SECRET",
      "hubName": "SECRET"
--- a/bitwarden_license/src/Sso/Controllers/AccountController.cs
+++ b/bitwarden_license/src/Sso/Controllers/AccountController.cs
@ -1,7 +1,4 @@
-// FIXME: Update this file to be null safe and then delete the line below
-#nullable disable
-
-using System.Security.Claims;
+using System.Security.Claims;
 using Bit.Core;
 using Bit.Core.AdminConsole.Entities;
 using Bit.Core.AdminConsole.Enums;
@ -57,6 +54,7 @@ public class AccountController : Controller
    private readonly IDataProtectorTokenFactory<SsoTokenable> _dataProtector;
    private readonly IOrganizationDomainRepository _organizationDomainRepository;
    private readonly IRegisterUserCommand _registerUserCommand;
+    private readonly IFeatureService _featureService;

    public AccountController(
        IAuthenticationSchemeProvider schemeProvider,
@ -77,7 +75,8 @@ public class AccountController : Controller
        Core.Services.IEventService eventService,
        IDataProtectorTokenFactory<SsoTokenable> dataProtector,
        IOrganizationDomainRepository organizationDomainRepository,
-        IRegisterUserCommand registerUserCommand)
+        IRegisterUserCommand registerUserCommand,
+        IFeatureService featureService)
    {
        _schemeProvider = schemeProvider;
        _clientStore = clientStore;
@ -98,46 +97,43 @@ public class AccountController : Controller
        _dataProtector = dataProtector;
        _organizationDomainRepository = organizationDomainRepository;
        _registerUserCommand = registerUserCommand;
+        _featureService = featureService;
    }

    [HttpGet]
-    public async Task<IActionResult> PreValidate(string domainHint)
+    public async Task<IActionResult> PreValidateAsync(string domainHint)
    {
        try
        {
            // Validate domain_hint provided
            if (string.IsNullOrWhiteSpace(domainHint))
            {
-                return InvalidJson("NoOrganizationIdentifierProvidedError");
+                _logger.LogError(new ArgumentException("domainHint is required."), "domainHint not specified.");
+                return InvalidJson("SsoInvalidIdentifierError");
            }

            // Validate organization exists from domain_hint
            var organization = await _organizationRepository.GetByIdentifierAsync(domainHint);
-            if (organization == null)
+            if (organization is not { UseSso: true })
            {
-                return InvalidJson("OrganizationNotFoundByIdentifierError");
-            }
-            if (!organization.UseSso)
-            {
-                return InvalidJson("SsoNotAllowedForOrganizationError");
+                _logger.LogError("Organization not configured to use SSO.");
+                return InvalidJson("SsoInvalidIdentifierError");
            }

            // Validate SsoConfig exists and is Enabled
            var ssoConfig = await _ssoConfigRepository.GetByIdentifierAsync(domainHint);
-            if (ssoConfig == null)
+            if (ssoConfig is not { Enabled: true })
            {
-                return InvalidJson("SsoConfigurationNotFoundForOrganizationError");
-            }
-            if (!ssoConfig.Enabled)
-            {
-                return InvalidJson("SsoNotEnabledForOrganizationError");
+                _logger.LogError("SsoConfig not enabled.");
+                return InvalidJson("SsoInvalidIdentifierError");
            }

            // Validate Authentication Scheme exists and is loaded (cache)
            var scheme = await _schemeProvider.GetSchemeAsync(organization.Id.ToString());
-            if (scheme == null || !(scheme is IDynamicAuthenticationScheme dynamicScheme))
+            if (scheme is not IDynamicAuthenticationScheme dynamicScheme)
            {
-                return InvalidJson("NoSchemeOrHandlerForSsoConfigurationFoundError");
+                _logger.LogError("Invalid authentication scheme for organization.");
+                return InvalidJson("SsoInvalidIdentifierError");
            }

            // Run scheme validation
@ -147,13 +143,8 @@ public class AccountController : Controller
            }
            catch (Exception ex)
            {
-                var translatedException = _i18nService.GetLocalizedHtmlString(ex.Message);
-                var errorKey = "InvalidSchemeConfigurationError";
-                if (!translatedException.ResourceNotFound)
-                {
-                    errorKey = ex.Message;
-                }
-                return InvalidJson(errorKey, translatedException.ResourceNotFound ? ex : null);
+                _logger.LogError(ex, "An error occurred while validating SSO dynamic scheme.");
+                return InvalidJson("SsoInvalidIdentifierError");
            }

            var tokenable = new SsoTokenable(organization, _globalSettings.Sso.SsoTokenLifetimeInSeconds);
@ -163,15 +154,18 @@ public class AccountController : Controller
        }
        catch (Exception ex)
        {
-            return InvalidJson("PreValidationError", ex);
+            _logger.LogError(ex, "An error occurred during SSO prevalidation.");
+            return InvalidJson("SsoInvalidIdentifierError");
        }
    }

    [HttpGet]
-    public async Task<IActionResult> Login(string returnUrl)
+    public async Task<IActionResult> LoginAsync(string returnUrl)
    {
        var context = await _interaction.GetAuthorizationContextAsync(returnUrl);

+        // FIXME: Update this file to be null safe and then delete the line below
+#nullable disable
        if (!context.Parameters.AllKeys.Contains("domain_hint") ||
            string.IsNullOrWhiteSpace(context.Parameters["domain_hint"]))
        {
@ -187,6 +181,7 @@ public class AccountController : Controller

        var domainHint = context.Parameters["domain_hint"];
        var organization = await _organizationRepository.GetByIdentifierAsync(domainHint);
+#nullable restore

        if (organization == null)
        {
@ -206,12 +201,15 @@ public class AccountController : Controller
            returnUrl,
            state = context.Parameters["state"],
            userIdentifier = context.Parameters["session_state"],
+            ssoToken
        });
    }

    [HttpGet]
-    public IActionResult ExternalChallenge(string scheme, string returnUrl, string state, string userIdentifier)
+    public IActionResult ExternalChallenge(string scheme, string returnUrl, string state, string userIdentifier, string ssoToken)
    {
+        ValidateSchemeAgainstSsoToken(scheme, ssoToken);
+
        if (string.IsNullOrEmpty(returnUrl))
        {
            returnUrl = "~/";
@ -240,40 +238,101 @@ public class AccountController : Controller
        return Challenge(props, scheme);
    }

+    /// <summary>
+    /// Validates the scheme (organization ID) against the organization ID found in the ssoToken.
+    /// </summary>
+    /// <param name="scheme">The authentication scheme (organization ID) to validate.</param>
+    /// <param name="ssoToken">The SSO token to validate against.</param>
+    /// <exception cref="Exception">Thrown if the scheme (organization ID) does not match the organization ID found in the ssoToken.</exception>
+    private void ValidateSchemeAgainstSsoToken(string scheme, string ssoToken)
+    {
+        SsoTokenable tokenable;
+
+        try
+        {
+            tokenable = _dataProtector.Unprotect(ssoToken);
+        }
+        catch
+        {
+            throw new Exception(_i18nService.T("InvalidSsoToken"));
+        }
+
+        if (!Guid.TryParse(scheme, out var schemeOrgId) || tokenable.OrganizationId != schemeOrgId)
+        {
+            throw new Exception(_i18nService.T("SsoOrganizationIdMismatch"));
+        }
+    }
+
    [HttpGet]
    public async Task<IActionResult> ExternalCallback()
    {
+        // Feature flag (PM-24579): Prevent SSO on existing non-compliant users.
+        var preventOrgUserLoginIfStatusInvalid =
+            _featureService.IsEnabled(FeatureFlagKeys.PM24579_PreventSsoOnExistingNonCompliantUsers);
+
        // Read external identity from the temporary cookie
        var result = await HttpContext.AuthenticateAsync(
            AuthenticationSchemes.BitwardenExternalCookieAuthenticationScheme);
-        if (result?.Succeeded != true)
-        {
-            throw new Exception(_i18nService.T("ExternalAuthenticationError"));
-        }

-        // Debugging
-        var externalClaims = result.Principal.Claims.Select(c => $"{c.Type}: {c.Value}");
-        _logger.LogDebug("External claims: {@claims}", externalClaims);
+        if (preventOrgUserLoginIfStatusInvalid)
+        {
+            if (!result.Succeeded)
+            {
+                throw new Exception(_i18nService.T("ExternalAuthenticationError"));
+            }
+        }
+        else
+        {
+            if (result?.Succeeded != true)
+            {
+                throw new Exception(_i18nService.T("ExternalAuthenticationError"));
+            }
+        }

        // See if the user has logged in with this SSO provider before and has already been provisioned.
        // This is signified by the user existing in the User table and the SSOUser table for the SSO provider they're using.
-        var (user, provider, providerUserId, claims, ssoConfigData) = await FindUserFromExternalProviderAsync(result);
+        var (possibleSsoLinkedUser, provider, providerUserId, claims, ssoConfigData) = await FindUserFromExternalProviderAsync(result);
+
+        // We will look these up as required (lazy resolution) to avoid multiple DB hits.
+        Organization? organization = null;
+        OrganizationUser? orgUser = null;

        // The user has not authenticated with this SSO provider before.
        // They could have an existing Bitwarden account in the User table though.
-        if (user == null)
+        if (possibleSsoLinkedUser == null)
        {
+            // FIXME: Update this file to be null safe and then delete the line below
+#nullable disable
            // If we're manually linking to SSO, the user's external identifier will be passed as query string parameter.
-            var userIdentifier = result.Properties.Items.Keys.Contains("user_identifier") ?
-                result.Properties.Items["user_identifier"] : null;
-            user = await AutoProvisionUserAsync(provider, providerUserId, claims, userIdentifier, ssoConfigData);
+            var userIdentifier = result.Properties.Items.Keys.Contains("user_identifier")
+                ? result.Properties.Items["user_identifier"]
+                : null;
+
+            var (resolvedUser, foundOrganization, foundOrCreatedOrgUser) =
+                await CreateUserAndOrgUserConditionallyAsync(
+                    provider,
+                    providerUserId,
+                    claims,
+                    userIdentifier,
+                    ssoConfigData);
+#nullable restore
+
+            possibleSsoLinkedUser = resolvedUser;
+
+            if (preventOrgUserLoginIfStatusInvalid)
+            {
+                organization = foundOrganization;
+                orgUser = foundOrCreatedOrgUser;
+            }
        }

-        // Either the user already authenticated with the SSO provider, or we've just provisioned them.
-        // Either way, we have associated the SSO login with a Bitwarden user.
-        // We will now sign the Bitwarden user in.
-        if (user != null)
+        if (preventOrgUserLoginIfStatusInvalid)
        {
+            User resolvedSsoLinkedUser = possibleSsoLinkedUser
+                                                  ?? throw new Exception(_i18nService.T("UserShouldBeFound"));
+
+            await PreventOrgUserLoginIfStatusInvalidAsync(organization, provider, orgUser, resolvedSsoLinkedUser);
+
            // This allows us to collect any additional claims or properties
            // for the specific protocols used and store them in the local auth cookie.
            // this is typically used to store data needed for signout from those protocols.
@ -286,19 +345,52 @@ public class AccountController : Controller
            ProcessLoginCallback(result, additionalLocalClaims, localSignInProps);

            // Issue authentication cookie for user
-            await HttpContext.SignInAsync(new IdentityServerUser(user.Id.ToString())
+            await HttpContext.SignInAsync(
+                new IdentityServerUser(resolvedSsoLinkedUser.Id.ToString())
+                {
+                    DisplayName = resolvedSsoLinkedUser.Email,
+                    IdentityProvider = provider,
+                    AdditionalClaims = additionalLocalClaims.ToArray()
+                }, localSignInProps);
+        }
+        else
+        {
+            // PM-24579: remove this else block with feature flag removal.
+            // Either the user already authenticated with the SSO provider, or we've just provisioned them.
+            // Either way, we have associated the SSO login with a Bitwarden user.
+            // We will now sign the Bitwarden user in.
+            if (possibleSsoLinkedUser != null)
            {
-                DisplayName = user.Email,
-                IdentityProvider = provider,
-                AdditionalClaims = additionalLocalClaims.ToArray()
-            }, localSignInProps);
+                // This allows us to collect any additional claims or properties
+                // for the specific protocols used and store them in the local auth cookie.
+                // this is typically used to store data needed for signout from those protocols.
+                var additionalLocalClaims = new List<Claim>();
+                var localSignInProps = new AuthenticationProperties
+                {
+                    IsPersistent = true,
+                    ExpiresUtc = DateTimeOffset.UtcNow.AddMinutes(1)
+                };
+                ProcessLoginCallback(result, additionalLocalClaims, localSignInProps);
+
+                // Issue authentication cookie for user
+                await HttpContext.SignInAsync(
+                    new IdentityServerUser(possibleSsoLinkedUser.Id.ToString())
+                    {
+                        DisplayName = possibleSsoLinkedUser.Email,
+                        IdentityProvider = provider,
+                        AdditionalClaims = additionalLocalClaims.ToArray()
+                    }, localSignInProps);
+            }
        }

        // Delete temporary cookie used during external authentication
        await HttpContext.SignOutAsync(AuthenticationSchemes.BitwardenExternalCookieAuthenticationScheme);

+        // FIXME: Update this file to be null safe and then delete the line below
+#nullable disable
        // Retrieve return URL
        var returnUrl = result.Properties.Items["return_url"] ?? "~/";
+#nullable restore

        // Check if external login is in the context of an OIDC request
        var context = await _interaction.GetAuthorizationContextAsync(returnUrl);
@ -317,8 +409,10 @@ public class AccountController : Controller
        return Redirect(returnUrl);
    }

+    // FIXME: Update this file to be null safe and then delete the line below
+#nullable disable
    [HttpGet]
-    public async Task<IActionResult> Logout(string logoutId)
+    public async Task<IActionResult> LogoutAsync(string logoutId)
    {
        // Build a model so the logged out page knows what to display
        var (updatedLogoutId, redirectUri, externalAuthenticationScheme) = await GetLoggedOutDataAsync(logoutId);
@ -341,6 +435,7 @@ public class AccountController : Controller
            // This triggers a redirect to the external provider for sign-out
            return SignOut(new AuthenticationProperties { RedirectUri = url }, externalAuthenticationScheme);
        }
+
        if (redirectUri != null)
        {
            return View("Redirect", new RedirectViewModel { RedirectUrl = redirectUri });
@ -350,15 +445,24 @@ public class AccountController : Controller
            return Redirect("~/");
        }
    }
+#nullable restore

    /// <summary>
-    /// Attempts to map the external identity to a Bitwarden user, through the SsoUser table, which holds the `externalId`. 
+    /// Attempts to map the external identity to a Bitwarden user, through the SsoUser table, which holds the `externalId`.
    /// The claims on the external identity are used to determine an `externalId`, and that is used to find the appropriate `SsoUser` and `User` records.
    /// </summary>
-    private async Task<(User user, string provider, string providerUserId, IEnumerable<Claim> claims, SsoConfigurationData config)>
-        FindUserFromExternalProviderAsync(AuthenticateResult result)
+    private async Task<(
+        User? possibleSsoUser,
+        string provider,
+        string providerUserId,
+        IEnumerable<Claim> claims,
+        SsoConfigurationData config
+    )> FindUserFromExternalProviderAsync(AuthenticateResult result)
    {
+        // FIXME: Update this file to be null safe and then delete the line below
+#nullable disable
        var provider = result.Properties.Items["scheme"];
+        //Todo: Validate provider is a valid GUID with TryParse instead. When this is invalid it throws an exception
        var orgId = new Guid(provider);
        var ssoConfig = await _ssoConfigRepository.GetByOrganizationIdAsync(orgId);
        if (ssoConfig == null || !ssoConfig.Enabled)
@ -382,9 +486,10 @@ public class AccountController : Controller
        // Ensure the NameIdentifier used is not a transient name ID, if so, we need a different attribute
        //  for the user identifier.
        static bool nameIdIsNotTransient(Claim c) => c.Type == ClaimTypes.NameIdentifier
-            && (c.Properties == null
-            || !c.Properties.TryGetValue(SamlPropertyKeys.ClaimFormat, out var claimFormat)
-            || claimFormat != SamlNameIdFormats.Transient);
+                                                     && (c.Properties == null
+                                                         || !c.Properties.TryGetValue(SamlPropertyKeys.ClaimFormat,
+                                                             out var claimFormat)
+                                                         || claimFormat != SamlNameIdFormats.Transient);

        // Try to determine the unique id of the external user (issued by the provider)
        // the most common claim type for that are the sub claim and the NameIdentifier
@ -399,6 +504,7 @@ public class AccountController : Controller
                          externalUser.FindFirst("upn") ??
                          externalUser.FindFirst("eppn") ??
                          throw new Exception(_i18nService.T("UnknownUserId"));
+#nullable restore

        // Remove the user id claim so we don't include it as an extra claim if/when we provision the user
        var claims = externalUser.Claims.ToList();
@ -407,13 +513,15 @@ public class AccountController : Controller
        // find external user
        var providerUserId = userIdClaim.Value;

-        var user = await _userRepository.GetBySsoUserAsync(providerUserId, orgId);
+        var possibleSsoUser = await _userRepository.GetBySsoUserAsync(providerUserId, orgId);

-        return (user, provider, providerUserId, claims, ssoConfigData);
+        return (possibleSsoUser, provider, providerUserId, claims, ssoConfigData);
    }

    /// <summary>
-    /// Provision an SSO-linked Bitwarden user.
+    /// This function seeks to set up the org user record or create a new user record based on the conditions
+    /// below.
+    ///
    /// This handles three different scenarios:
    /// 1. Creating an SsoUser link for an existing User and OrganizationUser
    ///     - User is a member of the organization, but hasn't authenticated with the org's SSO provider before.
@ -426,77 +534,100 @@ public class AccountController : Controller
    /// <param name="providerUserId">The external identity provider's user identifier.</param>
    /// <param name="claims">The claims from the external IdP.</param>
    /// <param name="userIdentifier">The user identifier used for manual SSO linking.</param>
-    /// <param name="config">The SSO configuration for the organization.</param>
-    /// <returns>The User to sign in.</returns>
+    /// <param name="ssoConfigData">The SSO configuration for the organization.</param>
+    /// <returns>Guaranteed to return the user to sign in as well as the found organization and org user.</returns>
    /// <exception cref="Exception">An exception if the user cannot be provisioned as requested.</exception>
-    private async Task<User> AutoProvisionUserAsync(string provider, string providerUserId,
-        IEnumerable<Claim> claims, string userIdentifier, SsoConfigurationData config)
+    private async Task<(User resolvedUser, Organization foundOrganization, OrganizationUser foundOrgUser)> CreateUserAndOrgUserConditionallyAsync(
+            string provider,
+            string providerUserId,
+            IEnumerable<Claim> claims,
+            string userIdentifier,
+            SsoConfigurationData ssoConfigData
+        )
    {
-        var name = GetName(claims, config.GetAdditionalNameClaimTypes());
-        var email = GetEmailAddress(claims, config.GetAdditionalEmailClaimTypes());
-        if (string.IsNullOrWhiteSpace(email) && providerUserId.Contains("@"))
-        {
-            email = providerUserId;
-        }
+        // Try to get the email from the claims as we don't know if we have a user record yet.
+        var name = GetName(claims, ssoConfigData.GetAdditionalNameClaimTypes());
+        var email = TryGetEmailAddress(claims, ssoConfigData, providerUserId);

-        if (!Guid.TryParse(provider, out var orgId))
-        {
-            // TODO: support non-org (server-wide) SSO in the future?
-            throw new Exception(_i18nService.T("SSOProviderIsNotAnOrgId", provider));
-        }
-
-        User existingUser = null;
+        User? possibleExistingUser;
        if (string.IsNullOrWhiteSpace(userIdentifier))
        {
            if (string.IsNullOrWhiteSpace(email))
            {
                throw new Exception(_i18nService.T("CannotFindEmailClaim"));
            }
-            existingUser = await _userRepository.GetByEmailAsync(email);
+
+            possibleExistingUser = await _userRepository.GetByEmailAsync(email);
        }
        else
        {
-            existingUser = await GetUserFromManualLinkingData(userIdentifier);
+            possibleExistingUser = await GetUserFromManualLinkingDataAsync(userIdentifier);
        }

-        // Try to find the OrganizationUser if it exists.
-        var (organization, orgUser) = await FindOrganizationUser(existingUser, email, orgId);
+        // Find the org (we error if we can't find an org because no org is not valid)
+        var organization = await GetOrganizationByProviderAsync(provider);
+
+        // Try to find an org user (null org user possible and valid here)
+        var possibleOrgUser = await GetOrganizationUserByUserAndOrgIdOrEmailAsync(possibleExistingUser, organization.Id, email);

        //----------------------------------------------------
        // Scenario 1: We've found the user in the User table
        //----------------------------------------------------
-        if (existingUser != null)
+        if (possibleExistingUser != null)
        {
-            if (existingUser.UsesKeyConnector &&
-                (orgUser == null || orgUser.Status == OrganizationUserStatusType.Invited))
+            User guaranteedExistingUser = possibleExistingUser;
+
+            if (guaranteedExistingUser.UsesKeyConnector &&
+                (possibleOrgUser == null || possibleOrgUser.Status == OrganizationUserStatusType.Invited))
            {
                throw new Exception(_i18nService.T("UserAlreadyExistsKeyConnector"));
            }

-            // If the user already exists in Bitwarden, we require that the user already be in the org,
-            // and that they are either Accepted or Confirmed.
-            if (orgUser == null)
+            OrganizationUser guaranteedOrgUser = possibleOrgUser ?? throw new Exception(_i18nService.T("UserAlreadyExistsInviteProcess"));
+
+            /*
+             * ----------------------------------------------------
+             *              Critical Code Check Here
+             *
+             * We want to ensure a user is not in the invited state
+             * explicitly. User's in the invited state should not
+             * be able to authenticate via SSO.
+             *
+             * See internal doc called "Added Context for SSO Login
+             * Flows" for further details.
+             * ----------------------------------------------------
+             */
+            if (guaranteedOrgUser.Status == OrganizationUserStatusType.Invited)
            {
-                // Org User is not created - no invite has been sent
-                throw new Exception(_i18nService.T("UserAlreadyExistsInviteProcess"));
+                // Org User is invited – must accept via email first
+                throw new Exception(
+                    _i18nService.T("AcceptInviteBeforeUsingSSO", organization.DisplayName()));
            }

-            EnsureOrgUserStatusAllowed(orgUser.Status, organization.DisplayName(),
-                allowedStatuses: [OrganizationUserStatusType.Accepted, OrganizationUserStatusType.Confirmed]);
+            // If the user already exists in Bitwarden, we require that the user already be in the org,
+            // and that they are either Accepted or Confirmed.
+            EnforceAllowedOrgUserStatus(
+                guaranteedOrgUser.Status,
+                allowedStatuses: [
+                    OrganizationUserStatusType.Accepted,
+                    OrganizationUserStatusType.Confirmed
+                ],
+                organization.DisplayName());

-
-            // Since we're in the auto-provisioning logic, this means that the user exists, but they have not 
+            // Since we're in the auto-provisioning logic, this means that the user exists, but they have not
            // authenticated with the org's SSO provider before now (otherwise we wouldn't be auto-provisioning them).
-            // We've verified that the user is Accepted or Confnirmed, so we can create an SsoUser link and proceed
+            // We've verified that the user is Accepted or Confirmed, so we can create an SsoUser link and proceed
            // with authentication.
-            await CreateSsoUserRecord(providerUserId, existingUser.Id, orgId, orgUser);
-            return existingUser;
+            await CreateSsoUserRecordAsync(providerUserId, guaranteedExistingUser.Id, organization.Id, guaranteedOrgUser);
+
+            return (guaranteedExistingUser, organization, guaranteedOrgUser);
        }

        // Before any user creation - if Org User doesn't exist at this point - make sure there are enough seats to add one
-        if (orgUser == null && organization.Seats.HasValue)
+        if (possibleOrgUser == null && organization.Seats.HasValue)
        {
-            var occupiedSeats = await _organizationRepository.GetOccupiedSeatCountByOrganizationIdAsync(organization.Id);
+            var occupiedSeats =
+                await _organizationRepository.GetOccupiedSeatCountByOrganizationIdAsync(organization.Id);
            var initialSeatCount = organization.Seats.Value;
            var availableSeats = initialSeatCount - occupiedSeats.Total;
            if (availableSeats < 1)
@ -514,8 +645,10 @@ public class AccountController : Controller
                {
                    if (organization.Seats.Value != initialSeatCount)
                    {
-                        await _organizationService.AdjustSeatsAsync(orgId, initialSeatCount - organization.Seats.Value);
+                        await _organizationService.AdjustSeatsAsync(organization.Id,
+                            initialSeatCount - organization.Seats.Value);
                    }
+
                    _logger.LogInformation(e, "SSO auto provisioning failed");
                    throw new Exception(_i18nService.T("NoSeatsAvailable", organization.DisplayName()));
                }
@ -523,40 +656,50 @@ public class AccountController : Controller
        }

        // If the email domain is verified, we can mark the email as verified
+        if (string.IsNullOrWhiteSpace(email))
+        {
+            throw new Exception(_i18nService.T("CannotFindEmailClaim"));
+        }
+
        var emailVerified = false;
        var emailDomain = CoreHelpers.GetEmailDomain(email);
        if (!string.IsNullOrWhiteSpace(emailDomain))
        {
-            var organizationDomain = await _organizationDomainRepository.GetDomainByOrgIdAndDomainNameAsync(orgId, emailDomain);
+            var organizationDomain =
+                await _organizationDomainRepository.GetDomainByOrgIdAndDomainNameAsync(organization.Id, emailDomain);
            emailVerified = organizationDomain?.VerifiedDate.HasValue ?? false;
        }

        //--------------------------------------------------
        // Scenarios 2 and 3: We need to register a new user
        //--------------------------------------------------
-        var user = new User
+        var newUser = new User
        {
            Name = name,
            Email = email,
            EmailVerified = emailVerified,
            ApiKey = CoreHelpers.SecureRandomString(30)
        };
-        await _registerUserCommand.RegisterUser(user);
+
+        // Always use RegisterSSOAutoProvisionedUserAsync to ensure organization context is available
+        // for domain validation (BlockClaimedDomainAccountCreation policy) and welcome emails.
+        // The feature flag logic for welcome email templates is handled internally by RegisterUserCommand.
+        await _registerUserCommand.RegisterSSOAutoProvisionedUserAsync(newUser, organization);

        // If the organization has 2fa policy enabled, make sure to default jit user 2fa to email
        var twoFactorPolicy =
-            await _policyRepository.GetByOrganizationIdTypeAsync(orgId, PolicyType.TwoFactorAuthentication);
+            await _policyRepository.GetByOrganizationIdTypeAsync(organization.Id, PolicyType.TwoFactorAuthentication);
        if (twoFactorPolicy != null && twoFactorPolicy.Enabled)
        {
-            user.SetTwoFactorProviders(new Dictionary<TwoFactorProviderType, TwoFactorProvider>
+            newUser.SetTwoFactorProviders(new Dictionary<TwoFactorProviderType, TwoFactorProvider>
            {
                [TwoFactorProviderType.Email] = new TwoFactorProvider
                {
-                    MetaData = new Dictionary<string, object> { ["Email"] = user.Email.ToLowerInvariant() },
+                    MetaData = new Dictionary<string, object> { ["Email"] = newUser.Email.ToLowerInvariant() },
                    Enabled = true
                }
            });
-            await _userService.UpdateTwoFactorProviderAsync(user, TwoFactorProviderType.Email);
+            await _userService.UpdateTwoFactorProviderAsync(newUser, TwoFactorProviderType.Email);
        }

        //-----------------------------------------------------------------
@ -564,17 +707,18 @@ public class AccountController : Controller
        // This means that an invitation was not sent for this user and we
        // need to establish their invited status now.
        //-----------------------------------------------------------------
-        if (orgUser == null)
+        if (possibleOrgUser == null)
        {
-            orgUser = new OrganizationUser
+            possibleOrgUser = new OrganizationUser
            {
-                OrganizationId = orgId,
-                UserId = user.Id,
+                OrganizationId = organization.Id,
+                UserId = newUser.Id,
                Type = OrganizationUserType.User,
                Status = OrganizationUserStatusType.Invited
            };
-            await _organizationUserRepository.CreateAsync(orgUser);
+            await _organizationUserRepository.CreateAsync(possibleOrgUser);
        }
+
        //-----------------------------------------------------------------
        // Scenario 3: There is already an existing OrganizationUser
        // That was established through an invitation. We just need to
@ -582,24 +726,68 @@ public class AccountController : Controller
        //-----------------------------------------------------------------
        else
        {
-            orgUser.UserId = user.Id;
-            await _organizationUserRepository.ReplaceAsync(orgUser);
+            possibleOrgUser.UserId = newUser.Id;
+            await _organizationUserRepository.ReplaceAsync(possibleOrgUser);
        }

        // Create the SsoUser record to link the user to the SSO provider.
-        await CreateSsoUserRecord(providerUserId, user.Id, orgId, orgUser);
+        await CreateSsoUserRecordAsync(providerUserId, newUser.Id, organization.Id, possibleOrgUser);

-        return user;
+        return (newUser, organization, possibleOrgUser);
    }

-    private async Task<User> GetUserFromManualLinkingData(string userIdentifier)
+    /// <summary>
+    /// Validates an organization user is allowed to log in via SSO and blocks invalid statuses.
+    /// Lazily resolves the organization and organization user if not provided.
+    /// </summary>
+    /// <param name="organization">The target organization; if null, resolved from provider.</param>
+    /// <param name="provider">The SSO scheme provider value (organization id as a GUID string).</param>
+    /// <param name="orgUser">The organization-user record; if null, looked up by user/org or user email for invited users.</param>
+    /// <param name="user">The user attempting to sign in (existing or newly provisioned).</param>
+    /// <exception cref="Exception">Thrown if the organization cannot be resolved from provider;
+    /// the organization user cannot be found; or the organization user status is not allowed.</exception>
+    private async Task PreventOrgUserLoginIfStatusInvalidAsync(
+        Organization? organization,
+        string provider,
+        OrganizationUser? orgUser,
+        User user)
    {
-        User user = null;
+        // Lazily get organization if not already known
+        organization ??= await GetOrganizationByProviderAsync(provider);
+
+        // Lazily get the org user if not already known
+        orgUser ??= await GetOrganizationUserByUserAndOrgIdOrEmailAsync(
+            user,
+            organization.Id,
+            user.Email);
+
+        if (orgUser != null)
+        {
+            // Invited is allowed at this point because we know the user is trying to accept an org invite.
+            EnforceAllowedOrgUserStatus(
+                orgUser.Status,
+                allowedStatuses: [
+                    OrganizationUserStatusType.Invited,
+                    OrganizationUserStatusType.Accepted,
+                    OrganizationUserStatusType.Confirmed,
+                ],
+                organization.DisplayName());
+        }
+        else
+        {
+            throw new Exception(_i18nService.T("CouldNotFindOrganizationUser", user.Id, organization.Id));
+        }
+    }
+
+    private async Task<User?> GetUserFromManualLinkingDataAsync(string userIdentifier)
+    {
+        User? user = null;
        var split = userIdentifier.Split(",");
        if (split.Length < 2)
        {
            throw new Exception(_i18nService.T("InvalidUserIdentifier"));
        }
+
        var userId = split[0];
        var token = split[1];

@ -619,64 +807,94 @@ public class AccountController : Controller
                throw new Exception(_i18nService.T("UserIdAndTokenMismatch"));
            }
        }
+
        return user;
    }

-    private async Task<(Organization, OrganizationUser)> FindOrganizationUser(User existingUser, string email, Guid orgId)
+    /// <summary>
+    /// Tries to get the organization by the provider which is org id for us as we use the scheme
+    /// to identify organizations - not identity providers.
+    /// </summary>
+    /// <param name="provider">Org id string from SSO scheme property</param>
+    /// <exception cref="Exception">Errors if the provider string is not a valid org id guid or if the org cannot be found by the id.</exception>
+    private async Task<Organization> GetOrganizationByProviderAsync(string provider)
    {
-        OrganizationUser orgUser = null;
-        var organization = await _organizationRepository.GetByIdAsync(orgId);
+        if (!Guid.TryParse(provider, out var organizationId))
+        {
+            // TODO: support non-org (server-wide) SSO in the future?
+            throw new Exception(_i18nService.T("SSOProviderIsNotAnOrgId", provider));
+        }
+
+        var organization = await _organizationRepository.GetByIdAsync(organizationId);
+
        if (organization == null)
        {
-            throw new Exception(_i18nService.T("CouldNotFindOrganization", orgId));
+            throw new Exception(_i18nService.T("CouldNotFindOrganization", organizationId));
        }

+        return organization;
+    }
+
+    /// <summary>
+    /// Attempts to get an <see cref="OrganizationUser"/> for a given organization
+    /// by first checking for an existing user relationship, and if none is found,
+    /// by looking up an invited user via their email address.
+    /// </summary>
+    /// <param name="user">The existing user entity to be looked up in OrganizationUsers table.</param>
+    /// <param name="organizationId">Organization id from the provider data.</param>
+    /// <param name="email">Email to use as a fallback in case of an invited user not in the Org Users
+    /// table yet.</param>
+    private async Task<OrganizationUser?> GetOrganizationUserByUserAndOrgIdOrEmailAsync(
+        User? user,
+        Guid organizationId,
+        string? email)
+    {
+        OrganizationUser? orgUser = null;
+
        // Try to find OrgUser via existing User Id.
        // This covers any OrganizationUser state after they have accepted an invite.
-        if (existingUser != null)
+        if (user != null)
        {
-            var orgUsersByUserId = await _organizationUserRepository.GetManyByUserAsync(existingUser.Id);
-            orgUser = orgUsersByUserId.SingleOrDefault(u => u.OrganizationId == orgId);
+            var orgUsersByUserId = await _organizationUserRepository.GetManyByUserAsync(user.Id);
+            orgUser = orgUsersByUserId.SingleOrDefault(u => u.OrganizationId == organizationId);
        }

        // If no Org User found by Existing User Id - search all the organization's users via email.
        // This covers users who are Invited but haven't accepted their invite yet.
-        orgUser ??= await _organizationUserRepository.GetByOrganizationEmailAsync(orgId, email);
+        if (email != null)
+        {
+            orgUser ??= await _organizationUserRepository.GetByOrganizationEmailAsync(organizationId, email);
+        }

-        return (organization, orgUser);
+        return orgUser;
    }

-    private void EnsureOrgUserStatusAllowed(
-        OrganizationUserStatusType status,
-        string organizationDisplayName,
-        params OrganizationUserStatusType[] allowedStatuses)
+    private void EnforceAllowedOrgUserStatus(
+        OrganizationUserStatusType statusToCheckAgainst,
+        OrganizationUserStatusType[] allowedStatuses,
+        string organizationDisplayNameForLogging)
    {
        // if this status is one of the allowed ones, just return
-        if (allowedStatuses.Contains(status))
+        if (allowedStatuses.Contains(statusToCheckAgainst))
        {
            return;
        }

        // otherwise throw the appropriate exception
-        switch (status)
+        switch (statusToCheckAgainst)
        {
-            case OrganizationUserStatusType.Invited:
-                // Org User is invited – must accept via email first
-                throw new Exception(
-                    _i18nService.T("AcceptInviteBeforeUsingSSO", organizationDisplayName));
            case OrganizationUserStatusType.Revoked:
                // Revoked users may not be (auto)‑provisioned
                throw new Exception(
-                    _i18nService.T("OrganizationUserAccessRevoked", organizationDisplayName));
+                    _i18nService.T("OrganizationUserAccessRevoked", organizationDisplayNameForLogging));
            default:
                // anything else is “unknown”
                throw new Exception(
-                    _i18nService.T("OrganizationUserUnknownStatus", organizationDisplayName));
+                    _i18nService.T("OrganizationUserUnknownStatus", organizationDisplayNameForLogging));
        }
    }

-
-    private IActionResult InvalidJson(string errorMessageKey, Exception ex = null)
+    private IActionResult InvalidJson(string errorMessageKey, Exception? ex = null)
    {
        Response.StatusCode = ex == null ? 400 : 500;
        return Json(new ErrorResponseModel(_i18nService.T(errorMessageKey))
@ -687,13 +905,13 @@ public class AccountController : Controller
        });
    }

-    private string GetEmailAddress(IEnumerable<Claim> claims, IEnumerable<string> additionalClaimTypes)
+    private string? TryGetEmailAddressFromClaims(IEnumerable<Claim> claims, IEnumerable<string> additionalClaimTypes)
    {
        var filteredClaims = claims.Where(c => !string.IsNullOrWhiteSpace(c.Value) && c.Value.Contains("@"));

        var email = filteredClaims.GetFirstMatch(additionalClaimTypes.ToArray()) ??
-            filteredClaims.GetFirstMatch(JwtClaimTypes.Email, ClaimTypes.Email,
-                SamlClaimTypes.Email, "mail", "emailaddress");
+                    filteredClaims.GetFirstMatch(JwtClaimTypes.Email, ClaimTypes.Email,
+                        SamlClaimTypes.Email, "mail", "emailaddress");
        if (!string.IsNullOrWhiteSpace(email))
        {
            return email;
@ -709,13 +927,15 @@ public class AccountController : Controller
        return null;
    }

+    // FIXME: Update this file to be null safe and then delete the line below
+#nullable disable
    private string GetName(IEnumerable<Claim> claims, IEnumerable<string> additionalClaimTypes)
    {
        var filteredClaims = claims.Where(c => !string.IsNullOrWhiteSpace(c.Value));

        var name = filteredClaims.GetFirstMatch(additionalClaimTypes.ToArray()) ??
-            filteredClaims.GetFirstMatch(JwtClaimTypes.Name, ClaimTypes.Name,
-                SamlClaimTypes.DisplayName, SamlClaimTypes.CommonName, "displayname", "cn");
+                   filteredClaims.GetFirstMatch(JwtClaimTypes.Name, ClaimTypes.Name,
+                       SamlClaimTypes.DisplayName, SamlClaimTypes.CommonName, "displayname", "cn");
        if (!string.IsNullOrWhiteSpace(name))
        {
            return name;
@ -732,8 +952,10 @@ public class AccountController : Controller

        return null;
    }
+#nullable restore

-    private async Task CreateSsoUserRecord(string providerUserId, Guid userId, Guid orgId, OrganizationUser orgUser)
+    private async Task CreateSsoUserRecordAsync(string providerUserId, Guid userId, Guid orgId,
+        OrganizationUser orgUser)
    {
        // Delete existing SsoUser (if any) - avoids error if providerId has changed and the sso link is stale
        var existingSsoUser = await _ssoUserRepository.GetByUserIdOrganizationIdAsync(orgId, userId);
@ -748,15 +970,12 @@ public class AccountController : Controller
            await _eventService.LogOrganizationUserEventAsync(orgUser, EventType.OrganizationUser_FirstSsoLogin);
        }

-        var ssoUser = new SsoUser
-        {
-            ExternalId = providerUserId,
-            UserId = userId,
-            OrganizationId = orgId,
-        };
+        var ssoUser = new SsoUser { ExternalId = providerUserId, UserId = userId, OrganizationId = orgId, };
        await _ssoUserRepository.CreateAsync(ssoUser);
    }

+    // FIXME: Update this file to be null safe and then delete the line below
+#nullable disable
    private void ProcessLoginCallback(AuthenticateResult externalResult,
        List<Claim> localClaims, AuthenticationProperties localSignInProps)
    {
@ -777,18 +996,6 @@ public class AccountController : Controller
        }
    }

-    private async Task<string> GetProviderAsync(string returnUrl)
-    {
-        var context = await _interaction.GetAuthorizationContextAsync(returnUrl);
-        if (context?.IdP != null && await _schemeProvider.GetSchemeAsync(context.IdP) != null)
-        {
-            return context.IdP;
-        }
-        var schemes = await _schemeProvider.GetAllSchemesAsync();
-        var providers = schemes.Select(x => x.Name).ToList();
-        return providers.FirstOrDefault();
-    }
-
    private async Task<(string, string, string)> GetLoggedOutDataAsync(string logoutId)
    {
        // Get context information (client name, post logout redirect URI and iframe for federated signout)
@ -819,10 +1026,31 @@ public class AccountController : Controller

        return (logoutId, logout?.PostLogoutRedirectUri, externalAuthenticationScheme);
    }
+#nullable restore
+
+    /**
+     * Tries to get a user's email from the claims and SSO configuration data or the provider user id if
+     * the claims email extraction returns null.
+     */
+    private string? TryGetEmailAddress(
+        IEnumerable<Claim> claims,
+        SsoConfigurationData config,
+        string providerUserId)
+    {
+        var email = TryGetEmailAddressFromClaims(claims, config.GetAdditionalEmailClaimTypes());
+
+        // If email isn't populated from claims and providerUserId has @, assume it is the email.
+        if (string.IsNullOrWhiteSpace(email) && providerUserId.Contains("@"))
+        {
+            email = providerUserId;
+        }
+
+        return email;
+    }

    public bool IsNativeClient(DIM.AuthorizationRequest context)
    {
        return !context.RedirectUri.StartsWith("https", StringComparison.Ordinal)
-           && !context.RedirectUri.StartsWith("http", StringComparison.Ordinal);
+               && !context.RedirectUri.StartsWith("http", StringComparison.Ordinal);
    }
 }
--- a/bitwarden_license/src/Sso/Program.cs
+++ b/bitwarden_license/src/Sso/Program.cs
@ -1,5 +1,4 @@
 using Bit.Core.Utilities;
-using Serilog;

 namespace Bit.Sso;

@ -13,19 +12,8 @@ public class Program
            .ConfigureWebHostDefaults(webBuilder =>
            {
                webBuilder.UseStartup<Startup>();
-                webBuilder.ConfigureLogging((hostingContext, logging) =>
-                logging.AddSerilog(hostingContext, (e, globalSettings) =>
-                {
-                    var context = e.Properties["SourceContext"].ToString();
-                    if (e.Properties.TryGetValue("RequestPath", out var requestPath) &&
-                        !string.IsNullOrWhiteSpace(requestPath?.ToString()) &&
-                        (context.Contains(".Server.Kestrel") || context.Contains(".Core.IISHttpServer")))
-                    {
-                        return false;
-                    }
-                    return e.Level >= globalSettings.MinLogLevel.SsoSettings.Default;
-                }));
            })
+            .AddSerilogFileLogging()
            .Build()
            .Run();
    }
--- a/bitwarden_license/src/Sso/Sso.csproj
+++ b/bitwarden_license/src/Sso/Sso.csproj
@ -10,7 +10,7 @@
    <!-- This is a transitive dependency to Sustainsys.Saml2.AspNetCore2 -->
    <PackageReference Include="Microsoft.AspNetCore.Http" Version="2.2.2" />

-    <PackageReference Include="Sustainsys.Saml2.AspNetCore2" Version="2.10.0" />
+    <PackageReference Include="Sustainsys.Saml2.AspNetCore2" Version="2.11.0" />
  </ItemGroup>

  <ItemGroup>
--- a/bitwarden_license/src/Sso/Startup.cs
+++ b/bitwarden_license/src/Sso/Startup.cs
@ -100,8 +100,6 @@ public class Startup
            IdentityModelEventSource.ShowPII = true;
        }

-        app.UseSerilog(env, appLifetime, globalSettings);
-
        // Add general security headers
        app.UseMiddleware<SecurityHeadersMiddleware>();

@ -157,6 +155,6 @@ public class Startup
        app.UseEndpoints(endpoints => endpoints.MapDefaultControllerRoute());

        // Log startup
-        logger.LogInformation(Constants.BypassFiltersEventId, globalSettings.ProjectName + " started.");
+        logger.LogInformation(Constants.BypassFiltersEventId, "{Project} started.", globalSettings.ProjectName);
    }
 }
--- a/bitwarden_license/src/Sso/appsettings.Development.json
+++ b/bitwarden_license/src/Sso/appsettings.Development.json
@ -24,6 +24,13 @@
    "storage": {
      "connectionString": "UseDevelopmentStorage=true"
    },
-    "developmentDirectory": "../../../dev"
+    "developmentDirectory": "../../../dev",
+    "pricingUri": "https://billingpricing.qa.bitwarden.pw",
+    "mail": {
+      "smtp": {
+        "host": "localhost",
+        "port": 10250
+      }
+    }
  }
 }
--- a/bitwarden_license/src/Sso/appsettings.json
+++ b/bitwarden_license/src/Sso/appsettings.json
@ -13,7 +13,11 @@
    "mail": {
      "sendGridApiKey": "SECRET",
      "amazonConfigSetName": "Email",
-      "replyToEmail": "no-reply@bitwarden.com"
+      "replyToEmail": "no-reply@bitwarden.com",
+      "smtp": {
+        "host": "localhost",
+        "port": 10250
+      }
    },
    "identityServer": {
      "certificateThumbprint": "SECRET"
--- a/bitwarden_license/src/Sso/package-lock.json
+++ b/bitwarden_license/src/Sso/package-lock.json
@ -17,9 +17,9 @@
        "css-loader": "7.1.2",
        "expose-loader": "5.0.1",
        "mini-css-extract-plugin": "2.9.2",
-        "sass": "1.89.2",
+        "sass": "1.93.2",
        "sass-loader": "16.0.5",
-        "webpack": "5.99.8",
+        "webpack": "5.102.1",
        "webpack-cli": "5.1.4"
      }
    },
@ -34,18 +34,14 @@
      }
    },
    "node_modules/@jridgewell/gen-mapping": {
-      "version": "0.3.8",
-      "resolved": "https://registry.npmjs.org/@jridgewell/gen-mapping/-/gen-mapping-0.3.8.tgz",
-      "integrity": "sha512-imAbBGkb+ebQyxKgzv5Hu2nmROxoDOXHh80evxdoXNOrvAnVx7zimzc1Oo5h9RlfV4vPXaE2iM5pOFbvOCClWA==",
+      "version": "0.3.13",
+      "resolved": "https://registry.npmjs.org/@jridgewell/gen-mapping/-/gen-mapping-0.3.13.tgz",
+      "integrity": "sha512-2kkt/7niJ6MgEPxF0bYdQ6etZaA+fQvDcLKckhy1yIQOzaoKjBBjSj63/aLVjYE3qhRt5dvM+uUyfCg6UKCBbA==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
-        "@jridgewell/set-array": "^1.2.1",
-        "@jridgewell/sourcemap-codec": "^1.4.10",
+        "@jridgewell/sourcemap-codec": "^1.5.0",
        "@jridgewell/trace-mapping": "^0.3.24"
-      },
-      "engines": {
-        "node": ">=6.0.0"
      }
    },
    "node_modules/@jridgewell/resolve-uri": {
@ -58,20 +54,10 @@
        "node": ">=6.0.0"
      }
    },
-    "node_modules/@jridgewell/set-array": {
-      "version": "1.2.1",
-      "resolved": "https://registry.npmjs.org/@jridgewell/set-array/-/set-array-1.2.1.tgz",
-      "integrity": "sha512-R8gLRTZeyp03ymzP/6Lil/28tGeGEzhx1q2k703KGWRAI1VdvPIXdG70VJc2pAMw3NA6JKL5hhFu1sJX0Mnn/A==",
-      "dev": true,
-      "license": "MIT",
-      "engines": {
-        "node": ">=6.0.0"
-      }
-    },
    "node_modules/@jridgewell/source-map": {
-      "version": "0.3.6",
-      "resolved": "https://registry.npmjs.org/@jridgewell/source-map/-/source-map-0.3.6.tgz",
-      "integrity": "sha512-1ZJTZebgqllO79ue2bm3rIGud/bOe0pP5BjSRCRxxYkEZS8STV7zN84UBbiYu7jy+eCKSnVIUgoWWE/tt+shMQ==",
+      "version": "0.3.11",
+      "resolved": "https://registry.npmjs.org/@jridgewell/source-map/-/source-map-0.3.11.tgz",
+      "integrity": "sha512-ZMp1V8ZFcPG5dIWnQLr3NSI1MiCU7UETdS/A0G8V/XWHvJv3ZsFqutJn1Y5RPmAPX6F3BiE397OqveU/9NCuIA==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
@ -80,16 +66,16 @@
      }
    },
    "node_modules/@jridgewell/sourcemap-codec": {
-      "version": "1.5.0",
-      "resolved": "https://registry.npmjs.org/@jridgewell/sourcemap-codec/-/sourcemap-codec-1.5.0.tgz",
-      "integrity": "sha512-gv3ZRaISU3fjPAgNsriBRqGWQL6quFx04YMPW/zD8XMLsU32mhCCbfbO6KZFLjvYpCZ8zyDEgqsgf+PwPaM7GQ==",
+      "version": "1.5.5",
+      "resolved": "https://registry.npmjs.org/@jridgewell/sourcemap-codec/-/sourcemap-codec-1.5.5.tgz",
+      "integrity": "sha512-cYQ9310grqxueWbl+WuIUIaiUaDcj7WOq5fVhEljNVgRfOUhY9fy2zTvfoqWsnebh8Sl70VScFbICvJnLKB0Og==",
      "dev": true,
      "license": "MIT"
    },
    "node_modules/@jridgewell/trace-mapping": {
-      "version": "0.3.25",
-      "resolved": "https://registry.npmjs.org/@jridgewell/trace-mapping/-/trace-mapping-0.3.25.tgz",
-      "integrity": "sha512-vNk6aEwybGtawWmy/PzwnGDOjCkLWSD2wqvjGGAgOAwCGWySYXfYoxt00IJkTF+8Lb57DwOb3Aa0o9CApepiYQ==",
+      "version": "0.3.30",
+      "resolved": "https://registry.npmjs.org/@jridgewell/trace-mapping/-/trace-mapping-0.3.30.tgz",
+      "integrity": "sha512-GQ7Nw5G2lTu/BtHTKfXhKHok2WGetd4XYcVKGx00SjAk8GMwgJM3zr6zORiPGuOE+/vkc90KtTosSSvaCjKb2Q==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
@ -441,9 +427,9 @@
      }
    },
    "node_modules/@types/estree": {
-      "version": "1.0.7",
-      "resolved": "https://registry.npmjs.org/@types/estree/-/estree-1.0.7.tgz",
-      "integrity": "sha512-w28IoSUCJpidD/TGviZwwMJckNESJZXFu7NBZ5YJ4mEUnNraUn9Pm8HSZm/jDF1pDWYKspWE7oVphigUPRakIQ==",
+      "version": "1.0.8",
+      "resolved": "https://registry.npmjs.org/@types/estree/-/estree-1.0.8.tgz",
+      "integrity": "sha512-dWHzHa2WqEXI/O1E9OjrocMTKJl2mSrEolh1Iomrv6U+JuNwaHXsXx9bLu5gG7BUWFIN0skIQJQ/L1rIex4X6w==",
      "dev": true,
      "license": "MIT"
    },
@ -455,13 +441,13 @@
      "license": "MIT"
    },
    "node_modules/@types/node": {
-      "version": "22.15.21",
-      "resolved": "https://registry.npmjs.org/@types/node/-/node-22.15.21.tgz",
-      "integrity": "sha512-EV/37Td6c+MgKAbkcLG6vqZ2zEYHD7bvSrzqqs2RIhbA6w3x+Dqz8MZM3sP6kGTeLrdoOgKZe+Xja7tUB2DNkQ==",
+      "version": "24.3.1",
+      "resolved": "https://registry.npmjs.org/@types/node/-/node-24.3.1.tgz",
+      "integrity": "sha512-3vXmQDXy+woz+gnrTvuvNrPzekOi+Ds0ReMxw0LzBiK3a+1k0kQn9f2NWk+lgD4rJehFUmYy2gMhJ2ZI+7YP9g==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
-        "undici-types": "~6.21.0"
+        "undici-types": "~7.10.0"
      }
    },
    "node_modules/@webassemblyjs/ast": {
@ -687,11 +673,12 @@
      "license": "Apache-2.0"
    },
    "node_modules/acorn": {
-      "version": "8.14.1",
-      "resolved": "https://registry.npmjs.org/acorn/-/acorn-8.14.1.tgz",
-      "integrity": "sha512-OvQ/2pUDKmgfCg++xsTX1wGxfTaszcHVcTctW4UJB4hibJx2HXxxO5UmVgyjMa+ZDsiaf5wWLXYpRWMmBI0QHg==",
+      "version": "8.15.0",
+      "resolved": "https://registry.npmjs.org/acorn/-/acorn-8.15.0.tgz",
+      "integrity": "sha512-NZyJarBfL7nWwIq+FDL6Zp/yHEhePMNnnJ0y3qfieCrmNvYct8uvtiV41UvlSe6apAfk0fY1FbWx+NwfmpvtTg==",
      "dev": true,
      "license": "MIT",
+      "peer": true,
      "bin": {
        "acorn": "bin/acorn"
      },
@ -699,12 +686,26 @@
        "node": ">=0.4.0"
      }
    },
+    "node_modules/acorn-import-phases": {
+      "version": "1.0.4",
+      "resolved": "https://registry.npmjs.org/acorn-import-phases/-/acorn-import-phases-1.0.4.tgz",
+      "integrity": "sha512-wKmbr/DDiIXzEOiWrTTUcDm24kQ2vGfZQvM2fwg2vXqR5uW6aapr7ObPtj1th32b9u90/Pf4AItvdTh42fBmVQ==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">=10.13.0"
+      },
+      "peerDependencies": {
+        "acorn": "^8.14.0"
+      }
+    },
    "node_modules/ajv": {
      "version": "8.17.1",
      "resolved": "https://registry.npmjs.org/ajv/-/ajv-8.17.1.tgz",
      "integrity": "sha512-B/gBuNg5SiMTrPkC+A2+cW0RszwxYmn6VYxB/inlBStS5nx6xHIt/ehKRhIMhqusl7a8LjQoZnjCs5vhwxOQ1g==",
      "dev": true,
      "license": "MIT",
+      "peer": true,
      "dependencies": {
        "fast-deep-equal": "^3.1.3",
        "fast-uri": "^3.0.1",
@ -747,6 +748,16 @@
        "ajv": "^8.8.2"
      }
    },
+    "node_modules/baseline-browser-mapping": {
+      "version": "2.8.18",
+      "resolved": "https://registry.npmjs.org/baseline-browser-mapping/-/baseline-browser-mapping-2.8.18.tgz",
+      "integrity": "sha512-UYmTpOBwgPScZpS4A+YbapwWuBwasxvO/2IOHArSsAhL/+ZdmATBXTex3t+l2hXwLVYK382ibr/nKoY9GKe86w==",
+      "dev": true,
+      "license": "Apache-2.0",
+      "bin": {
+        "baseline-browser-mapping": "dist/cli.js"
+      }
+    },
    "node_modules/bootstrap": {
      "version": "5.3.6",
      "resolved": "https://registry.npmjs.org/bootstrap/-/bootstrap-5.3.6.tgz",
@ -781,9 +792,9 @@
      }
    },
    "node_modules/browserslist": {
-      "version": "4.24.5",
-      "resolved": "https://registry.npmjs.org/browserslist/-/browserslist-4.24.5.tgz",
-      "integrity": "sha512-FDToo4Wo82hIdgc1CQ+NQD0hEhmpPjrZ3hiUgwgOG6IuTdlpr8jdjyG24P6cNP1yJpTLzS5OcGgSw0xmDU1/Tw==",
+      "version": "4.26.3",
+      "resolved": "https://registry.npmjs.org/browserslist/-/browserslist-4.26.3.tgz",
+      "integrity": "sha512-lAUU+02RFBuCKQPj/P6NgjlbCnLBMp4UtgTx7vNHd3XSIJF87s9a5rA3aH2yw3GS9DqZAUbOtZdCCiZeVRqt0w==",
      "dev": true,
      "funding": [
        {
@ -800,10 +811,12 @@
        }
      ],
      "license": "MIT",
+      "peer": true,
      "dependencies": {
-        "caniuse-lite": "^1.0.30001716",
-        "electron-to-chromium": "^1.5.149",
-        "node-releases": "^2.0.19",
+        "baseline-browser-mapping": "^2.8.9",
+        "caniuse-lite": "^1.0.30001746",
+        "electron-to-chromium": "^1.5.227",
+        "node-releases": "^2.0.21",
        "update-browserslist-db": "^1.1.3"
      },
      "bin": {
@ -821,9 +834,9 @@
      "license": "MIT"
    },
    "node_modules/caniuse-lite": {
-      "version": "1.0.30001718",
-      "resolved": "https://registry.npmjs.org/caniuse-lite/-/caniuse-lite-1.0.30001718.tgz",
-      "integrity": "sha512-AflseV1ahcSunK53NfEs9gFWgOEmzr0f+kaMFA4xiLZlr9Hzt7HxcSpIFcnNCUkz6R6dWKa54rUz3HUmI3nVcw==",
+      "version": "1.0.30001751",
+      "resolved": "https://registry.npmjs.org/caniuse-lite/-/caniuse-lite-1.0.30001751.tgz",
+      "integrity": "sha512-A0QJhug0Ly64Ii3eIqHu5X51ebln3k4yTUkY1j8drqpWHVreg/VLijN48cZ1bYPiqOQuqpkIKnzr/Ul8V+p6Cw==",
      "dev": true,
      "funding": [
        {
@ -975,16 +988,16 @@
      }
    },
    "node_modules/electron-to-chromium": {
-      "version": "1.5.155",
-      "resolved": "https://registry.npmjs.org/electron-to-chromium/-/electron-to-chromium-1.5.155.tgz",
-      "integrity": "sha512-ps5KcGGmwL8VaeJlvlDlu4fORQpv3+GIcF5I3f9tUKUlJ/wsysh6HU8P5L1XWRYeXfA0oJd4PyM8ds8zTFf6Ng==",
+      "version": "1.5.237",
+      "resolved": "https://registry.npmjs.org/electron-to-chromium/-/electron-to-chromium-1.5.237.tgz",
+      "integrity": "sha512-icUt1NvfhGLar5lSWH3tHNzablaA5js3HVHacQimfP8ViEBOQv+L7DKEuHdbTZ0SKCO1ogTJTIL1Gwk9S6Qvcg==",
      "dev": true,
      "license": "ISC"
    },
    "node_modules/enhanced-resolve": {
-      "version": "5.18.1",
-      "resolved": "https://registry.npmjs.org/enhanced-resolve/-/enhanced-resolve-5.18.1.tgz",
-      "integrity": "sha512-ZSW3ma5GkcQBIpwZTSRAI8N71Uuwgs93IezB7mf7R60tC8ZbJideoDNKjHn2O9KIlx6rkGTTEk1xUCK2E1Y2Yg==",
+      "version": "5.18.3",
+      "resolved": "https://registry.npmjs.org/enhanced-resolve/-/enhanced-resolve-5.18.3.tgz",
+      "integrity": "sha512-d4lC8xfavMeBjzGr2vECC3fsGXziXZQyJxD868h2M/mBI3PwAuODxAkLkq5HYuvrPYcUtiLzsTo8U3PgX3Ocww==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
@ -1107,9 +1120,9 @@
      "license": "MIT"
    },
    "node_modules/fast-uri": {
-      "version": "3.0.6",
-      "resolved": "https://registry.npmjs.org/fast-uri/-/fast-uri-3.0.6.tgz",
-      "integrity": "sha512-Atfo14OibSv5wAp4VWNsFYE1AchQRTv9cBGWET4pZWHzYshFSS9NQI6I57rdKn9croWVMbYFbLhJ+yJvmZIIHw==",
+      "version": "3.1.0",
+      "resolved": "https://registry.npmjs.org/fast-uri/-/fast-uri-3.1.0.tgz",
+      "integrity": "sha512-iPeeDKJSWf4IEOasVVrknXpaBV0IApz/gp7S2bb7Z4Lljbl2MGJRqInZiUrQwV16cpzw/D3S5j5Julj/gT52AA==",
      "dev": true,
      "funding": [
        {
@ -1241,9 +1254,9 @@
      }
    },
    "node_modules/immutable": {
-      "version": "5.1.2",
-      "resolved": "https://registry.npmjs.org/immutable/-/immutable-5.1.2.tgz",
-      "integrity": "sha512-qHKXW1q6liAk1Oys6umoaZbDRqjcjgSrbnrifHsfsttza7zcvRAsL7mMV6xWcyhwQy7Xj5v4hhbr6b+iDYwlmQ==",
+      "version": "5.1.3",
+      "resolved": "https://registry.npmjs.org/immutable/-/immutable-5.1.3.tgz",
+      "integrity": "sha512-+chQdDfvscSF1SJqv2gn4SRO2ZyS3xL3r7IW/wWEEzrzLisnOlKiQu5ytC/BVNcS15C39WT2Hg/bjKjDMcu+zg==",
      "dev": true,
      "license": "MIT"
    },
@ -1528,9 +1541,9 @@
      "optional": true
    },
    "node_modules/node-releases": {
-      "version": "2.0.19",
-      "resolved": "https://registry.npmjs.org/node-releases/-/node-releases-2.0.19.tgz",
-      "integrity": "sha512-xxOWJsBKtzAq7DY0J+DTzuz58K8e7sJbdgwkbMWQe8UYB6ekmsQ45q0M/tJDsGaZmbC+l7n57UV8Hl5tHxO9uw==",
+      "version": "2.0.26",
+      "resolved": "https://registry.npmjs.org/node-releases/-/node-releases-2.0.26.tgz",
+      "integrity": "sha512-S2M9YimhSjBSvYnlr5/+umAnPHE++ODwt5e2Ij6FoX45HA/s4vHdkDx1eax2pAPeAOqu4s9b7ppahsyEFdVqQA==",
      "dev": true,
      "license": "MIT"
    },
@ -1635,9 +1648,9 @@
      }
    },
    "node_modules/postcss": {
-      "version": "8.5.3",
-      "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.5.3.tgz",
-      "integrity": "sha512-dle9A3yYxlBSrt8Fu+IpjGT8SY8hN0mlaA6GY8t0P5PjIOZemULz/E2Bnm/2dcUOena75OTNkHI76uZBNUUq3A==",
+      "version": "8.5.6",
+      "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.5.6.tgz",
+      "integrity": "sha512-3Ybi1tAuwAP9s0r1UQ2J4n5Y0G05bJkpUIO0/bI9MhwmD70S5aTWbXGBwxHrelT+XM1k6dM0pk+SwNkpTRN7Pg==",
      "dev": true,
      "funding": [
        {
@ -1654,8 +1667,9 @@
        }
      ],
      "license": "MIT",
+      "peer": true,
      "dependencies": {
-        "nanoid": "^3.3.8",
+        "nanoid": "^3.3.11",
        "picocolors": "^1.1.1",
        "source-map-js": "^1.2.1"
      },
@ -1860,11 +1874,12 @@
      "license": "MIT"
    },
    "node_modules/sass": {
-      "version": "1.89.2",
-      "resolved": "https://registry.npmjs.org/sass/-/sass-1.89.2.tgz",
-      "integrity": "sha512-xCmtksBKd/jdJ9Bt9p7nPKiuqrlBMBuuGkQlkhZjjQk3Ty48lv93k5Dq6OPkKt4XwxDJ7tvlfrTa1MPA9bf+QA==",
+      "version": "1.93.2",
+      "resolved": "https://registry.npmjs.org/sass/-/sass-1.93.2.tgz",
+      "integrity": "sha512-t+YPtOQHpGW1QWsh1CHQ5cPIr9lbbGZLZnbihP/D/qZj/yuV68m8qarcV17nvkOX81BCrvzAlq2klCQFZghyTg==",
      "dev": true,
      "license": "MIT",
+      "peer": true,
      "dependencies": {
        "chokidar": "^4.0.0",
        "immutable": "^5.0.2",
@ -1922,9 +1937,9 @@
      }
    },
    "node_modules/schema-utils": {
-      "version": "4.3.2",
-      "resolved": "https://registry.npmjs.org/schema-utils/-/schema-utils-4.3.2.tgz",
-      "integrity": "sha512-Gn/JaSk/Mt9gYubxTtSn/QCV4em9mpAPiR1rqy/Ocu19u/G9J5WWdNoUT4SiV6mFC3y6cxyFcFwdzPM3FgxGAQ==",
+      "version": "4.3.3",
+      "resolved": "https://registry.npmjs.org/schema-utils/-/schema-utils-4.3.3.tgz",
+      "integrity": "sha512-eflK8wEtyOE6+hsaRVPxvUKYCpRgzLqDTb8krvAsRIwOGlHoSgYLgBXoubGgLd2fT41/OUYdb48v4k4WWHQurA==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
@ -2061,24 +2076,28 @@
      }
    },
    "node_modules/tapable": {
-      "version": "2.2.2",
-      "resolved": "https://registry.npmjs.org/tapable/-/tapable-2.2.2.tgz",
-      "integrity": "sha512-Re10+NauLTMCudc7T5WLFLAwDhQ0JWdrMK+9B2M8zR5hRExKmsRDCBA7/aV/pNJFltmBFO5BAMlQFi/vq3nKOg==",
+      "version": "2.3.0",
+      "resolved": "https://registry.npmjs.org/tapable/-/tapable-2.3.0.tgz",
+      "integrity": "sha512-g9ljZiwki/LfxmQADO3dEY1CbpmXT5Hm2fJ+QaGKwSXUylMybePR7/67YW7jOrrvjEgL1Fmz5kzyAjWVWLlucg==",
      "dev": true,
      "license": "MIT",
      "engines": {
        "node": ">=6"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/webpack"
      }
    },
    "node_modules/terser": {
-      "version": "5.39.2",
-      "resolved": "https://registry.npmjs.org/terser/-/terser-5.39.2.tgz",
-      "integrity": "sha512-yEPUmWve+VA78bI71BW70Dh0TuV4HHd+I5SHOAfS1+QBOmvmCiiffgjR8ryyEd3KIfvPGFqoADt8LdQ6XpXIvg==",
+      "version": "5.44.0",
+      "resolved": "https://registry.npmjs.org/terser/-/terser-5.44.0.tgz",
+      "integrity": "sha512-nIVck8DK+GM/0Frwd+nIhZ84pR/BX7rmXMfYwyg+Sri5oGVE99/E3KvXqpC2xHFxyqXyGHTKBSioxxplrO4I4w==",
      "dev": true,
      "license": "BSD-2-Clause",
      "dependencies": {
        "@jridgewell/source-map": "^0.3.3",
-        "acorn": "^8.14.0",
+        "acorn": "^8.15.0",
        "commander": "^2.20.0",
        "source-map-support": "~0.5.20"
      },
@ -2139,9 +2158,9 @@
      }
    },
    "node_modules/undici-types": {
-      "version": "6.21.0",
-      "resolved": "https://registry.npmjs.org/undici-types/-/undici-types-6.21.0.tgz",
-      "integrity": "sha512-iwDZqg0QAGrg9Rav5H4n0M64c3mkR59cJ6wQp+7C4nI0gsmExaedaYLNO44eT4AtBBwjbTiGPMlt2Md0T9H9JQ==",
+      "version": "7.10.0",
+      "resolved": "https://registry.npmjs.org/undici-types/-/undici-types-7.10.0.tgz",
+      "integrity": "sha512-t5Fy/nfn+14LuOc2KNYg75vZqClpAiqscVvMygNnlsHBFpSXdJaYtXMcdNLpl/Qvc3P2cB3s6lOV51nqsFq4ag==",
      "dev": true,
      "license": "MIT"
    },
@ -2198,22 +2217,24 @@
      }
    },
    "node_modules/webpack": {
-      "version": "5.99.8",
-      "resolved": "https://registry.npmjs.org/webpack/-/webpack-5.99.8.tgz",
-      "integrity": "sha512-lQ3CPiSTpfOnrEGeXDwoq5hIGzSjmwD72GdfVzF7CQAI7t47rJG9eDWvcEkEn3CUQymAElVvDg3YNTlCYj+qUQ==",
+      "version": "5.102.1",
+      "resolved": "https://registry.npmjs.org/webpack/-/webpack-5.102.1.tgz",
+      "integrity": "sha512-7h/weGm9d/ywQ6qzJ+Xy+r9n/3qgp/thalBbpOi5i223dPXKi04IBtqPN9nTd+jBc7QKfvDbaBnFipYp4sJAUQ==",
      "dev": true,
      "license": "MIT",
+      "peer": true,
      "dependencies": {
        "@types/eslint-scope": "^3.7.7",
-        "@types/estree": "^1.0.6",
+        "@types/estree": "^1.0.8",
        "@types/json-schema": "^7.0.15",
        "@webassemblyjs/ast": "^1.14.1",
        "@webassemblyjs/wasm-edit": "^1.14.1",
        "@webassemblyjs/wasm-parser": "^1.14.1",
-        "acorn": "^8.14.0",
-        "browserslist": "^4.24.0",
+        "acorn": "^8.15.0",
+        "acorn-import-phases": "^1.0.3",
+        "browserslist": "^4.26.3",
        "chrome-trace-event": "^1.0.2",
-        "enhanced-resolve": "^5.17.1",
+        "enhanced-resolve": "^5.17.3",
        "es-module-lexer": "^1.2.1",
        "eslint-scope": "5.1.1",
        "events": "^3.2.0",
@ -2223,11 +2244,11 @@
        "loader-runner": "^4.2.0",
        "mime-types": "^2.1.27",
        "neo-async": "^2.6.2",
-        "schema-utils": "^4.3.2",
-        "tapable": "^2.1.1",
+        "schema-utils": "^4.3.3",
+        "tapable": "^2.3.0",
        "terser-webpack-plugin": "^5.3.11",
-        "watchpack": "^2.4.1",
-        "webpack-sources": "^3.2.3"
+        "watchpack": "^2.4.4",
+        "webpack-sources": "^3.3.3"
      },
      "bin": {
        "webpack": "bin/webpack.js"
@ -2251,6 +2272,7 @@
      "integrity": "sha512-pIDJHIEI9LR0yxHXQ+Qh95k2EvXpWzZ5l+d+jIo+RdSm9MiHfzazIxwwni/p7+x4eJZuvG1AJwgC4TNQ7NRgsg==",
      "dev": true,
      "license": "MIT",
+      "peer": true,
      "dependencies": {
        "@discoveryjs/json-ext": "^0.5.0",
        "@webpack-cli/configtest": "^2.1.1",
@ -2317,9 +2339,9 @@
      }
    },
    "node_modules/webpack-sources": {
-      "version": "3.2.3",
-      "resolved": "https://registry.npmjs.org/webpack-sources/-/webpack-sources-3.2.3.tgz",
-      "integrity": "sha512-/DyMEOrDgLKKIG0fmvtz+4dUX/3Ghozwgm6iPp8KRhvn+eQf9+Q7GWxVNMk3+uCPWfdXYC4ExGBckIXdFEfH1w==",
+      "version": "3.3.3",
+      "resolved": "https://registry.npmjs.org/webpack-sources/-/webpack-sources-3.3.3.tgz",
+      "integrity": "sha512-yd1RBzSGanHkitROoPFd6qsrxt+oFhg/129YzheDGqeustzX0vTZJZsSsQjVQC4yzBQ56K55XU8gaNCtIzOnTg==",
      "dev": true,
      "license": "MIT",
      "engines": {
--- a/bitwarden_license/src/Sso/package.json
+++ b/bitwarden_license/src/Sso/package.json
@ -16,9 +16,9 @@
    "css-loader": "7.1.2",
    "expose-loader": "5.0.1",
    "mini-css-extract-plugin": "2.9.2",
-    "sass": "1.89.2",
+    "sass": "1.93.2",
    "sass-loader": "16.0.5",
-    "webpack": "5.99.8",
+    "webpack": "5.102.1",
    "webpack-cli": "5.1.4"
  }
 }
--- a/bitwarden_license/test/Commercial.Core.Test/AdminConsole/ProviderFeatures/RemoveOrganizationFromProviderCommandTests.cs
+++ b/bitwarden_license/test/Commercial.Core.Test/AdminConsole/ProviderFeatures/RemoveOrganizationFromProviderCommandTests.cs
@ -13,7 +13,7 @@ using Bit.Core.Enums;
 using Bit.Core.Exceptions;
 using Bit.Core.Repositories;
 using Bit.Core.Services;
-using Bit.Core.Utilities;
+using Bit.Core.Test.Billing.Mocks;
 using Bit.Test.Common.AutoFixture;
 using Bit.Test.Common.AutoFixture.Attributes;
 using NSubstitute;
@ -131,7 +131,7 @@ public class RemoveOrganizationFromProviderCommandTests
                Arg.Is<IEnumerable<string>>(emails => emails.FirstOrDefault() == "a@example.com"));

        await sutProvider.GetDependency<IStripeAdapter>().DidNotReceiveWithAnyArgs()
-            .CustomerUpdateAsync(Arg.Any<string>(), Arg.Any<CustomerUpdateOptions>());
+            .UpdateCustomerAsync(Arg.Any<string>(), Arg.Any<CustomerUpdateOptions>());
    }

    [Theory, BitAutoData]
@ -156,18 +156,22 @@ public class RemoveOrganizationFromProviderCommandTests
            "b@example.com"
        ]);

-        sutProvider.GetDependency<IStripeAdapter>().SubscriptionGetAsync(organization.GatewaySubscriptionId)
-            .Returns(GetSubscription(organization.GatewaySubscriptionId));
+        sutProvider.GetDependency<IStripeAdapter>().GetSubscriptionAsync(organization.GatewaySubscriptionId, Arg.Is<SubscriptionGetOptions>(
+                options => options.Expand.Contains("customer")))
+            .Returns(GetSubscription(organization.GatewaySubscriptionId, organization.GatewayCustomerId));

        await sutProvider.Sut.RemoveOrganizationFromProvider(provider, providerOrganization, organization);

        var stripeAdapter = sutProvider.GetDependency<IStripeAdapter>();

-        await stripeAdapter.Received(1).CustomerUpdateAsync(organization.GatewayCustomerId,
-            Arg.Is<CustomerUpdateOptions>(options =>
-                options.Coupon == string.Empty && options.Email == "a@example.com"));
+        await stripeAdapter.Received(1).UpdateCustomerAsync(organization.GatewayCustomerId,
+            Arg.Is<CustomerUpdateOptions>(options => options.Email == "a@example.com"));

-        await stripeAdapter.Received(1).SubscriptionUpdateAsync(organization.GatewaySubscriptionId,
+        await stripeAdapter.Received(1).DeleteCustomerDiscountAsync(organization.GatewayCustomerId);
+
+        await stripeAdapter.Received(1).DeleteCustomerDiscountAsync(organization.GatewayCustomerId);
+
+        await stripeAdapter.Received(1).UpdateSubscriptionAsync(organization.GatewaySubscriptionId,
            Arg.Is<SubscriptionUpdateOptions>(options =>
                options.CollectionMethod == StripeConstants.CollectionMethod.SendInvoice &&
                options.DaysUntilDue == 30));
@ -205,7 +209,7 @@ public class RemoveOrganizationFromProviderCommandTests

        organization.PlanType = PlanType.TeamsMonthly;

-        var teamsMonthlyPlan = StaticStore.GetPlan(PlanType.TeamsMonthly);
+        var teamsMonthlyPlan = MockPlans.Get(PlanType.TeamsMonthly);

        sutProvider.GetDependency<IPricingClient>().GetPlanOrThrow(PlanType.TeamsMonthly).Returns(teamsMonthlyPlan);

@ -224,7 +228,7 @@ public class RemoveOrganizationFromProviderCommandTests

        var stripeAdapter = sutProvider.GetDependency<IStripeAdapter>();

-        stripeAdapter.CustomerUpdateAsync(organization.GatewayCustomerId, Arg.Is<CustomerUpdateOptions>(options =>
+        stripeAdapter.UpdateCustomerAsync(organization.GatewayCustomerId, Arg.Is<CustomerUpdateOptions>(options =>
            options.Description == string.Empty &&
            options.Email == organization.BillingEmail &&
            options.Expand[0] == "tax" &&
@ -237,14 +241,14 @@ public class RemoveOrganizationFromProviderCommandTests
                }
            });

-        stripeAdapter.SubscriptionCreateAsync(Arg.Any<SubscriptionCreateOptions>()).Returns(new Subscription
+        stripeAdapter.CreateSubscriptionAsync(Arg.Any<SubscriptionCreateOptions>()).Returns(new Subscription
        {
            Id = "subscription_id"
        });

        await sutProvider.Sut.RemoveOrganizationFromProvider(provider, providerOrganization, organization);

-        await stripeAdapter.Received(1).SubscriptionCreateAsync(Arg.Is<SubscriptionCreateOptions>(options =>
+        await stripeAdapter.Received(1).CreateSubscriptionAsync(Arg.Is<SubscriptionCreateOptions>(options =>
            options.Customer == organization.GatewayCustomerId &&
            options.CollectionMethod == StripeConstants.CollectionMethod.SendInvoice &&
            options.DaysUntilDue == 30 &&
@ -294,7 +298,7 @@ public class RemoveOrganizationFromProviderCommandTests

        organization.PlanType = PlanType.TeamsMonthly;

-        var teamsMonthlyPlan = StaticStore.GetPlan(PlanType.TeamsMonthly);
+        var teamsMonthlyPlan = MockPlans.Get(PlanType.TeamsMonthly);

        sutProvider.GetDependency<IPricingClient>().GetPlanOrThrow(PlanType.TeamsMonthly).Returns(teamsMonthlyPlan);

@ -313,7 +317,7 @@ public class RemoveOrganizationFromProviderCommandTests

        var stripeAdapter = sutProvider.GetDependency<IStripeAdapter>();

-        stripeAdapter.CustomerUpdateAsync(organization.GatewayCustomerId, Arg.Is<CustomerUpdateOptions>(options =>
+        stripeAdapter.UpdateCustomerAsync(organization.GatewayCustomerId, Arg.Is<CustomerUpdateOptions>(options =>
            options.Description == string.Empty &&
            options.Email == organization.BillingEmail &&
            options.Expand[0] == "tax" &&
@ -326,14 +330,14 @@ public class RemoveOrganizationFromProviderCommandTests
                }
            });

-        stripeAdapter.SubscriptionCreateAsync(Arg.Any<SubscriptionCreateOptions>()).Returns(new Subscription
+        stripeAdapter.CreateSubscriptionAsync(Arg.Any<SubscriptionCreateOptions>()).Returns(new Subscription
        {
            Id = "subscription_id"
        });

        await sutProvider.Sut.RemoveOrganizationFromProvider(provider, providerOrganization, organization);

-        await stripeAdapter.Received(1).SubscriptionCreateAsync(Arg.Is<SubscriptionCreateOptions>(options =>
+        await stripeAdapter.Received(1).CreateSubscriptionAsync(Arg.Is<SubscriptionCreateOptions>(options =>
            options.Customer == organization.GatewayCustomerId &&
            options.CollectionMethod == StripeConstants.CollectionMethod.SendInvoice &&
            options.DaysUntilDue == 30 &&
@ -368,10 +372,21 @@ public class RemoveOrganizationFromProviderCommandTests
                Arg.Is<IEnumerable<string>>(emails => emails.FirstOrDefault() == "a@example.com"));
    }

-    private static Subscription GetSubscription(string subscriptionId) =>
+    private static Subscription GetSubscription(string subscriptionId, string customerId) =>
        new()
        {
            Id = subscriptionId,
+            CustomerId = customerId,
+            Customer = new Customer
+            {
+                Discount = new Discount
+                {
+                    Coupon = new Coupon
+                    {
+                        Id = "coupon-id"
+                    }
+                }
+            },
            Status = StripeConstants.SubscriptionStatus.Active,
            Items = new StripeList<SubscriptionItem>
            {
@ -403,7 +418,7 @@ public class RemoveOrganizationFromProviderCommandTests
        organization.PlanType = PlanType.TeamsMonthly;
        organization.Enabled = false; // Start with a disabled organization

-        var teamsMonthlyPlan = StaticStore.GetPlan(PlanType.TeamsMonthly);
+        var teamsMonthlyPlan = MockPlans.Get(PlanType.TeamsMonthly);

        sutProvider.GetDependency<IPricingClient>().GetPlanOrThrow(PlanType.TeamsMonthly).Returns(teamsMonthlyPlan);

@ -421,7 +436,7 @@ public class RemoveOrganizationFromProviderCommandTests

        var stripeAdapter = sutProvider.GetDependency<IStripeAdapter>();

-        stripeAdapter.CustomerUpdateAsync(organization.GatewayCustomerId, Arg.Any<CustomerUpdateOptions>())
+        stripeAdapter.UpdateCustomerAsync(organization.GatewayCustomerId, Arg.Any<CustomerUpdateOptions>())
            .Returns(new Customer
            {
                Id = "customer_id",
@ -431,7 +446,7 @@ public class RemoveOrganizationFromProviderCommandTests
                }
            });

-        stripeAdapter.SubscriptionCreateAsync(Arg.Any<SubscriptionCreateOptions>()).Returns(new Subscription
+        stripeAdapter.CreateSubscriptionAsync(Arg.Any<SubscriptionCreateOptions>()).Returns(new Subscription
        {
            Id = "new_subscription_id"
        });
--- a/bitwarden_license/test/Commercial.Core.Test/AdminConsole/Services/ProviderServiceTests.cs
+++ b/bitwarden_license/test/Commercial.Core.Test/AdminConsole/Services/ProviderServiceTests.cs
@ -1,17 +1,23 @@
 using Bit.Commercial.Core.AdminConsole.Services;
 using Bit.Commercial.Core.Test.AdminConsole.AutoFixture;
+using Bit.Core;
 using Bit.Core.AdminConsole.Entities;
 using Bit.Core.AdminConsole.Entities.Provider;
 using Bit.Core.AdminConsole.Enums.Provider;
 using Bit.Core.AdminConsole.Models.Business.Provider;
 using Bit.Core.AdminConsole.Models.Business.Tokenables;
+using Bit.Core.AdminConsole.Models.Data.Organizations.Policies;
 using Bit.Core.AdminConsole.Models.Data.Provider;
 using Bit.Core.AdminConsole.OrganizationFeatures.Organizations;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.AutoConfirmUser;
+using Bit.Core.AdminConsole.OrganizationFeatures.Policies;
+using Bit.Core.AdminConsole.OrganizationFeatures.Policies.PolicyRequirements;
 using Bit.Core.AdminConsole.Repositories;
 using Bit.Core.Billing.Enums;
-using Bit.Core.Billing.Models;
+using Bit.Core.Billing.Payment.Models;
 using Bit.Core.Billing.Pricing;
 using Bit.Core.Billing.Providers.Services;
+using Bit.Core.Billing.Services;
 using Bit.Core.Context;
 using Bit.Core.Entities;
 using Bit.Core.Enums;
@ -20,6 +26,7 @@ using Bit.Core.Models.Business;
 using Bit.Core.Repositories;
 using Bit.Core.Services;
 using Bit.Core.Test.AutoFixture.OrganizationFixtures;
+using Bit.Core.Test.Billing.Mocks;
 using Bit.Core.Tokens;
 using Bit.Core.Utilities;
 using Bit.Test.Common.AutoFixture;
@ -41,7 +48,7 @@ public class ProviderServiceTests
    public async Task CompleteSetupAsync_UserIdIsInvalid_Throws(SutProvider<ProviderService> sutProvider)
    {
        var exception = await Assert.ThrowsAsync<BadRequestException>(
-            () => sutProvider.Sut.CompleteSetupAsync(default, default, default, default, null));
+            () => sutProvider.Sut.CompleteSetupAsync(default, default, default, default, null, null));
        Assert.Contains("Invalid owner.", exception.Message);
    }

@ -53,83 +60,12 @@ public class ProviderServiceTests
        userService.GetUserByIdAsync(user.Id).Returns(user);

        var exception = await Assert.ThrowsAsync<BadRequestException>(
-            () => sutProvider.Sut.CompleteSetupAsync(provider, user.Id, default, default, null));
+            () => sutProvider.Sut.CompleteSetupAsync(provider, user.Id, default, default, null, null));
        Assert.Contains("Invalid token.", exception.Message);
    }

    [Theory, BitAutoData]
-    public async Task CompleteSetupAsync_InvalidTaxInfo_ThrowsBadRequestException(
-        User user,
-        Provider provider,
-        string key,
-        TaxInfo taxInfo,
-        TokenizedPaymentSource tokenizedPaymentSource,
-        [ProviderUser] ProviderUser providerUser,
-        SutProvider<ProviderService> sutProvider)
-    {
-        providerUser.ProviderId = provider.Id;
-        providerUser.UserId = user.Id;
-        var userService = sutProvider.GetDependency<IUserService>();
-        userService.GetUserByIdAsync(user.Id).Returns(user);
-
-        var providerUserRepository = sutProvider.GetDependency<IProviderUserRepository>();
-        providerUserRepository.GetByProviderUserAsync(provider.Id, user.Id).Returns(providerUser);
-
-        var dataProtectionProvider = DataProtectionProvider.Create("ApplicationName");
-        var protector = dataProtectionProvider.CreateProtector("ProviderServiceDataProtector");
-        sutProvider.GetDependency<IDataProtectionProvider>().CreateProtector("ProviderServiceDataProtector")
-            .Returns(protector);
-
-        sutProvider.Create();
-
-        var token = protector.Protect($"ProviderSetupInvite {provider.Id} {user.Email} {CoreHelpers.ToEpocMilliseconds(DateTime.UtcNow)}");
-
-        taxInfo.BillingAddressCountry = null;
-
-        var exception = await Assert.ThrowsAsync<BadRequestException>(() =>
-            sutProvider.Sut.CompleteSetupAsync(provider, user.Id, token, key, taxInfo, tokenizedPaymentSource));
-
-        Assert.Equal("Both address and postal code are required to set up your provider.", exception.Message);
-    }
-
-    [Theory, BitAutoData]
-    public async Task CompleteSetupAsync_InvalidTokenizedPaymentSource_ThrowsBadRequestException(
-        User user,
-        Provider provider,
-        string key,
-        TaxInfo taxInfo,
-        TokenizedPaymentSource tokenizedPaymentSource,
-        [ProviderUser] ProviderUser providerUser,
-        SutProvider<ProviderService> sutProvider)
-    {
-        providerUser.ProviderId = provider.Id;
-        providerUser.UserId = user.Id;
-        var userService = sutProvider.GetDependency<IUserService>();
-        userService.GetUserByIdAsync(user.Id).Returns(user);
-
-        var providerUserRepository = sutProvider.GetDependency<IProviderUserRepository>();
-        providerUserRepository.GetByProviderUserAsync(provider.Id, user.Id).Returns(providerUser);
-
-        var dataProtectionProvider = DataProtectionProvider.Create("ApplicationName");
-        var protector = dataProtectionProvider.CreateProtector("ProviderServiceDataProtector");
-        sutProvider.GetDependency<IDataProtectionProvider>().CreateProtector("ProviderServiceDataProtector")
-            .Returns(protector);
-
-        sutProvider.Create();
-
-        var token = protector.Protect($"ProviderSetupInvite {provider.Id} {user.Email} {CoreHelpers.ToEpocMilliseconds(DateTime.UtcNow)}");
-
-
-        tokenizedPaymentSource = tokenizedPaymentSource with { Type = PaymentMethodType.BitPay };
-
-        var exception = await Assert.ThrowsAsync<BadRequestException>(() =>
-            sutProvider.Sut.CompleteSetupAsync(provider, user.Id, token, key, taxInfo, tokenizedPaymentSource));
-
-        Assert.Equal("A payment method is required to set up your provider.", exception.Message);
-    }
-
-    [Theory, BitAutoData]
-    public async Task CompleteSetupAsync_Success(User user, Provider provider, string key, TaxInfo taxInfo, TokenizedPaymentSource tokenizedPaymentSource,
+    public async Task CompleteSetupAsync_Success(User user, Provider provider, string key, TokenizedPaymentMethod tokenizedPaymentMethod, BillingAddress billingAddress,
            [ProviderUser] ProviderUser providerUser,
            SutProvider<ProviderService> sutProvider)
    {
@ -149,7 +85,7 @@ public class ProviderServiceTests
        var providerBillingService = sutProvider.GetDependency<IProviderBillingService>();

        var customer = new Customer { Id = "customer_id" };
-        providerBillingService.SetupCustomer(provider, taxInfo, tokenizedPaymentSource).Returns(customer);
+        providerBillingService.SetupCustomer(provider, tokenizedPaymentMethod, billingAddress).Returns(customer);

        var subscription = new Subscription { Id = "subscription_id" };
        providerBillingService.SetupSubscription(provider).Returns(subscription);
@ -158,7 +94,7 @@ public class ProviderServiceTests

        var token = protector.Protect($"ProviderSetupInvite {provider.Id} {user.Email} {CoreHelpers.ToEpocMilliseconds(DateTime.UtcNow)}");

-        await sutProvider.Sut.CompleteSetupAsync(provider, user.Id, token, key, taxInfo, tokenizedPaymentSource);
+        await sutProvider.Sut.CompleteSetupAsync(provider, user.Id, token, key, tokenizedPaymentMethod, billingAddress);

        await sutProvider.GetDependency<IProviderRepository>().Received().UpsertAsync(Arg.Is<Provider>(
            p =>
@ -170,6 +106,57 @@ public class ProviderServiceTests
            .ReplaceAsync(Arg.Is<ProviderUser>(pu => pu.UserId == user.Id && pu.ProviderId == provider.Id && pu.Key == key));
    }

+    [Theory, BitAutoData]
+    public async Task CompleteSetupAsync_WithAutoConfirmEnabled_ThrowsUserCannotJoinProviderError(User user, Provider provider,
+        string key,
+        TokenizedPaymentMethod tokenizedPaymentMethod, BillingAddress billingAddress,
+        [ProviderUser] ProviderUser providerUser,
+        SutProvider<ProviderService> sutProvider)
+    {
+        providerUser.ProviderId = provider.Id;
+        providerUser.UserId = user.Id;
+        var userService = sutProvider.GetDependency<IUserService>();
+        userService.GetUserByIdAsync(user.Id).Returns(user);
+
+        var providerUserRepository = sutProvider.GetDependency<IProviderUserRepository>();
+        providerUserRepository.GetByProviderUserAsync(provider.Id, user.Id).Returns(providerUser);
+
+        var dataProtectionProvider = DataProtectionProvider.Create("ApplicationName");
+        var protector = dataProtectionProvider.CreateProtector("ProviderServiceDataProtector");
+        sutProvider.GetDependency<IDataProtectionProvider>().CreateProtector("ProviderServiceDataProtector")
+            .Returns(protector);
+
+        var providerBillingService = sutProvider.GetDependency<IProviderBillingService>();
+
+        var customer = new Customer { Id = "customer_id" };
+        providerBillingService.SetupCustomer(provider, tokenizedPaymentMethod, billingAddress).Returns(customer);
+
+        var subscription = new Subscription { Id = "subscription_id" };
+        providerBillingService.SetupSubscription(provider).Returns(subscription);
+
+        sutProvider.GetDependency<IFeatureService>()
+            .IsEnabled(FeatureFlagKeys.AutomaticConfirmUsers)
+            .Returns(true);
+
+        var policyDetails = new List<PolicyDetails> { new() { OrganizationId = Guid.NewGuid(), IsProvider = false } };
+        var policyRequirement = new AutomaticUserConfirmationPolicyRequirement(policyDetails);
+        sutProvider.GetDependency<IPolicyRequirementQuery>()
+            .GetAsync<AutomaticUserConfirmationPolicyRequirement>(user.Id)
+            .Returns(policyRequirement);
+
+        sutProvider.Create();
+
+        var token = protector.Protect(
+            $"ProviderSetupInvite {provider.Id} {user.Email} {CoreHelpers.ToEpocMilliseconds(DateTime.UtcNow)}");
+
+        // Act & Assert
+        var exception = await Assert.ThrowsAsync<BadRequestException>(() =>
+            sutProvider.Sut.CompleteSetupAsync(provider, user.Id, token, key, tokenizedPaymentMethod,
+                billingAddress));
+
+        Assert.Equal(new UserCannotJoinProvider().Message, exception.Message);
+    }
+
    [Theory, BitAutoData]
    public async Task UpdateAsync_ProviderIdIsInvalid_Throws(Provider provider, SutProvider<ProviderService> sutProvider)
    {
@ -649,6 +636,132 @@ public class ProviderServiceTests
        Assert.Equal(user.Id, pu.UserId);
    }

+    [Theory, BitAutoData]
+    public async Task AcceptUserAsync_WithAutoConfirmEnabledAndPolicyExists_Throws(
+        [ProviderUser(ProviderUserStatusType.Invited)] ProviderUser providerUser,
+        User user,
+        SutProvider<ProviderService> sutProvider)
+    {
+        // Arrange
+        sutProvider.GetDependency<IProviderUserRepository>()
+            .GetByIdAsync(providerUser.Id)
+            .Returns(providerUser);
+
+        var protector = DataProtectionProvider
+            .Create("ApplicationName")
+            .CreateProtector("ProviderServiceDataProtector");
+
+        sutProvider.GetDependency<IDataProtectionProvider>()
+            .CreateProtector("ProviderServiceDataProtector")
+            .Returns(protector);
+
+        sutProvider.Create();
+
+        providerUser.Email = user.Email;
+        var token = protector.Protect($"ProviderUserInvite {providerUser.Id} {user.Email} {CoreHelpers.ToEpocMilliseconds(DateTime.UtcNow)}");
+
+        sutProvider.GetDependency<IFeatureService>()
+            .IsEnabled(FeatureFlagKeys.AutomaticConfirmUsers)
+            .Returns(true);
+
+        var policyDetails = new List<PolicyDetails>
+        {
+            new() { OrganizationId = Guid.NewGuid(), IsProvider = false }
+        };
+        var policyRequirement = new AutomaticUserConfirmationPolicyRequirement(policyDetails);
+        sutProvider.GetDependency<IPolicyRequirementQuery>()
+            .GetAsync<AutomaticUserConfirmationPolicyRequirement>(user.Id)
+            .Returns(policyRequirement);
+
+        // Act & Assert
+        var exception = await Assert.ThrowsAsync<BadRequestException>(
+            () => sutProvider.Sut.AcceptUserAsync(providerUser.Id, user, token));
+
+        Assert.Equal(new UserCannotJoinProvider().Message, exception.Message);
+    }
+
+    [Theory, BitAutoData]
+    public async Task AcceptUserAsync_WithAutoConfirmEnabledButNoPolicyExists_Success(
+        [ProviderUser(ProviderUserStatusType.Invited)] ProviderUser providerUser,
+        User user,
+        SutProvider<ProviderService> sutProvider)
+    {
+        // Arrange
+        sutProvider.GetDependency<IProviderUserRepository>()
+            .GetByIdAsync(providerUser.Id)
+            .Returns(providerUser);
+
+        var protector = DataProtectionProvider
+            .Create("ApplicationName")
+            .CreateProtector("ProviderServiceDataProtector");
+
+        sutProvider.GetDependency<IDataProtectionProvider>()
+            .CreateProtector("ProviderServiceDataProtector")
+            .Returns(protector);
+        sutProvider.Create();
+
+        providerUser.Email = user.Email;
+        var token = protector.Protect($"ProviderUserInvite {providerUser.Id} {user.Email} {CoreHelpers.ToEpocMilliseconds(DateTime.UtcNow)}");
+
+        sutProvider.GetDependency<IFeatureService>()
+            .IsEnabled(FeatureFlagKeys.AutomaticConfirmUsers)
+            .Returns(true);
+
+        var policyRequirement = new AutomaticUserConfirmationPolicyRequirement([]);
+        sutProvider.GetDependency<IPolicyRequirementQuery>()
+            .GetAsync<AutomaticUserConfirmationPolicyRequirement>(user.Id)
+            .Returns(policyRequirement);
+
+        // Act
+        var pu = await sutProvider.Sut.AcceptUserAsync(providerUser.Id, user, token);
+
+        // Assert
+        Assert.Null(pu.Email);
+        Assert.Equal(ProviderUserStatusType.Accepted, pu.Status);
+        Assert.Equal(user.Id, pu.UserId);
+    }
+
+    [Theory, BitAutoData]
+    public async Task AcceptUserAsync_WithAutoConfirmDisabled_Success(
+        [ProviderUser(ProviderUserStatusType.Invited)] ProviderUser providerUser,
+        User user,
+        SutProvider<ProviderService> sutProvider)
+    {
+        // Arrange
+        sutProvider.GetDependency<IProviderUserRepository>()
+            .GetByIdAsync(providerUser.Id)
+            .Returns(providerUser);
+
+        var protector = DataProtectionProvider
+            .Create("ApplicationName")
+            .CreateProtector("ProviderServiceDataProtector");
+
+        sutProvider.GetDependency<IDataProtectionProvider>()
+            .CreateProtector("ProviderServiceDataProtector")
+            .Returns(protector);
+        sutProvider.Create();
+
+        providerUser.Email = user.Email;
+        var token = protector.Protect($"ProviderUserInvite {providerUser.Id} {user.Email} {CoreHelpers.ToEpocMilliseconds(DateTime.UtcNow)}");
+
+        sutProvider.GetDependency<IFeatureService>()
+            .IsEnabled(FeatureFlagKeys.AutomaticConfirmUsers)
+            .Returns(false);
+
+        // Act
+        var pu = await sutProvider.Sut.AcceptUserAsync(providerUser.Id, user, token);
+
+        // Assert
+        Assert.Null(pu.Email);
+        Assert.Equal(ProviderUserStatusType.Accepted, pu.Status);
+        Assert.Equal(user.Id, pu.UserId);
+
+        // Verify that policy check was never called when feature flag is disabled
+        await sutProvider.GetDependency<IPolicyRequirementQuery>()
+            .DidNotReceive()
+            .GetAsync<AutomaticUserConfirmationPolicyRequirement>(user.Id);
+    }
+
    [Theory, BitAutoData]
    public async Task ConfirmUsersAsync_NoValid(
        [ProviderUser(ProviderUserStatusType.Invited)] ProviderUser pu1,
@ -695,13 +808,131 @@ public class ProviderServiceTests
        Assert.Equal("Invalid user.", result[2].Item2);
    }

+    [Theory, BitAutoData]
+    public async Task ConfirmUsersAsync_WithAutoConfirmEnabledAndPolicyExists_ReturnsError(
+        [ProviderUser(ProviderUserStatusType.Accepted)] ProviderUser pu1, User u1,
+        Provider provider, User confirmingUser, SutProvider<ProviderService> sutProvider)
+    {
+        // Arrange
+        pu1.ProviderId = provider.Id;
+        pu1.UserId = u1.Id;
+        var providerUsers = new[] { pu1 };
+
+        var providerUserRepository = sutProvider.GetDependency<IProviderUserRepository>();
+        providerUserRepository.GetManyAsync([]).ReturnsForAnyArgs(providerUsers);
+        sutProvider.GetDependency<IProviderRepository>().GetByIdAsync(provider.Id).Returns(provider);
+        sutProvider.GetDependency<IUserRepository>().GetManyAsync([]).ReturnsForAnyArgs([u1]);
+
+        sutProvider.GetDependency<IFeatureService>()
+            .IsEnabled(FeatureFlagKeys.AutomaticConfirmUsers)
+            .Returns(true);
+
+        var policyDetails = new List<PolicyDetails>
+        {
+            new() { OrganizationId = Guid.NewGuid(), IsProvider = false }
+        };
+        var policyRequirement = new AutomaticUserConfirmationPolicyRequirement(policyDetails);
+        sutProvider.GetDependency<IPolicyRequirementQuery>()
+            .GetAsync<AutomaticUserConfirmationPolicyRequirement>(u1.Id)
+            .Returns(policyRequirement);
+
+        var dict = providerUsers.ToDictionary(pu => pu.Id, _ => "key");
+
+        // Act
+        var result = await sutProvider.Sut.ConfirmUsersAsync(pu1.ProviderId, dict, confirmingUser.Id);
+
+        // Assert
+        Assert.Single(result);
+        Assert.Equal(new UserCannotJoinProvider().Message, result[0].Item2);
+
+        // Verify user was not confirmed
+        await providerUserRepository.DidNotReceive().ReplaceAsync(Arg.Any<ProviderUser>());
+    }
+
+    [Theory, BitAutoData]
+    public async Task ConfirmUsersAsync_WithAutoConfirmEnabledButNoPolicyExists_Success(
+        [ProviderUser(ProviderUserStatusType.Accepted)] ProviderUser pu1, User u1,
+        Provider provider, User confirmingUser, SutProvider<ProviderService> sutProvider)
+    {
+        // Arrange
+        pu1.ProviderId = provider.Id;
+        pu1.UserId = u1.Id;
+        var providerUsers = new[] { pu1 };
+
+        var providerUserRepository = sutProvider.GetDependency<IProviderUserRepository>();
+        providerUserRepository.GetManyAsync([]).ReturnsForAnyArgs(providerUsers);
+        sutProvider.GetDependency<IProviderRepository>().GetByIdAsync(provider.Id).Returns(provider);
+        sutProvider.GetDependency<IUserRepository>().GetManyAsync([]).ReturnsForAnyArgs([u1]);
+
+        sutProvider.GetDependency<IFeatureService>()
+            .IsEnabled(FeatureFlagKeys.AutomaticConfirmUsers)
+            .Returns(true);
+
+        var policyRequirement = new AutomaticUserConfirmationPolicyRequirement(new List<PolicyDetails>());
+        sutProvider.GetDependency<IPolicyRequirementQuery>()
+            .GetAsync<AutomaticUserConfirmationPolicyRequirement>(u1.Id)
+            .Returns(policyRequirement);
+
+        var dict = providerUsers.ToDictionary(pu => pu.Id, _ => "key");
+
+        // Act
+        var result = await sutProvider.Sut.ConfirmUsersAsync(pu1.ProviderId, dict, confirmingUser.Id);
+
+        // Assert
+        Assert.Single(result);
+        Assert.Equal("", result[0].Item2);
+
+        // Verify user was confirmed
+        await providerUserRepository.Received(1).ReplaceAsync(Arg.Is<ProviderUser>(pu =>
+            pu.Status == ProviderUserStatusType.Confirmed));
+    }
+
+    [Theory, BitAutoData]
+    public async Task ConfirmUsersAsync_WithAutoConfirmDisabled_Success(
+        [ProviderUser(ProviderUserStatusType.Accepted)] ProviderUser pu1, User u1,
+        Provider provider, User confirmingUser, SutProvider<ProviderService> sutProvider)
+    {
+        // Arrange
+        pu1.ProviderId = provider.Id;
+        pu1.UserId = u1.Id;
+        var providerUsers = new[] { pu1 };
+
+        var providerUserRepository = sutProvider.GetDependency<IProviderUserRepository>();
+        providerUserRepository.GetManyAsync([]).ReturnsForAnyArgs(providerUsers);
+
+        sutProvider.GetDependency<IProviderRepository>().GetByIdAsync(provider.Id).Returns(provider);
+        sutProvider.GetDependency<IUserRepository>().GetManyAsync([]).ReturnsForAnyArgs([u1]);
+
+        sutProvider.GetDependency<IFeatureService>()
+            .IsEnabled(FeatureFlagKeys.AutomaticConfirmUsers)
+            .Returns(false);
+
+        var dict = providerUsers.ToDictionary(pu => pu.Id, _ => "key");
+
+        // Act
+        var result = await sutProvider.Sut.ConfirmUsersAsync(pu1.ProviderId, dict, confirmingUser.Id);
+
+        // Assert
+        Assert.Single(result);
+        Assert.Equal("", result[0].Item2);
+
+        // Verify user was confirmed
+        await providerUserRepository.Received(1).ReplaceAsync(Arg.Is<ProviderUser>(pu =>
+            pu.Status == ProviderUserStatusType.Confirmed));
+
+        // Verify that policy check was never called when feature flag is disabled
+        await sutProvider.GetDependency<IPolicyRequirementQuery>()
+            .DidNotReceive()
+            .GetAsync<AutomaticUserConfirmationPolicyRequirement>(Arg.Any<Guid>());
+    }
+
    [Theory, BitAutoData]
    public async Task SaveUserAsync_UserIdIsInvalid_Throws(ProviderUser providerUser,
        SutProvider<ProviderService> sutProvider)
    {
-        providerUser.Id = default;
-        var exception = await Assert.ThrowsAsync<BadRequestException>(
-            () => sutProvider.Sut.SaveUserAsync(providerUser, default));
+        providerUser.Id = Guid.Empty;
+        var exception = await Assert.ThrowsAsync<BadRequestException>(() =>
+            sutProvider.Sut.SaveUserAsync(providerUser, Guid.Empty));
        Assert.Equal("Invite the user first.", exception.Message);
    }

@ -827,7 +1058,7 @@ public class ProviderServiceTests
        await organizationRepository.Received(1)
            .ReplaceAsync(Arg.Is<Organization>(org => org.BillingEmail == provider.BillingEmail));

-        await sutProvider.GetDependency<IStripeAdapter>().Received(1).CustomerUpdateAsync(
+        await sutProvider.GetDependency<IStripeAdapter>().Received(1).UpdateCustomerAsync(
            organization.GatewayCustomerId,
            Arg.Is<CustomerUpdateOptions>(options => options.Email == provider.BillingEmail));

@ -882,12 +1113,12 @@ public class ProviderServiceTests
        organization.Plan = "Enterprise (Monthly)";

        sutProvider.GetDependency<IPricingClient>().GetPlanOrThrow(organization.PlanType)
-            .Returns(StaticStore.GetPlan(organization.PlanType));
+            .Returns(MockPlans.Get(organization.PlanType));

        var expectedPlanType = PlanType.EnterpriseMonthly2020;

        sutProvider.GetDependency<IPricingClient>().GetPlanOrThrow(expectedPlanType)
-            .Returns(StaticStore.GetPlan(expectedPlanType));
+            .Returns(MockPlans.Get(expectedPlanType));

        var expectedPlanId = "2020-enterprise-org-seat-monthly";

@ -898,9 +1129,9 @@ public class ProviderServiceTests

        sutProvider.GetDependency<IOrganizationRepository>().GetByIdAsync(organization.Id).Returns(organization);
        var subscriptionItem = GetSubscription(organization.GatewaySubscriptionId);
-        sutProvider.GetDependency<IStripeAdapter>().SubscriptionGetAsync(organization.GatewaySubscriptionId)
+        sutProvider.GetDependency<IStripeAdapter>().GetSubscriptionAsync(organization.GatewaySubscriptionId)
            .Returns(GetSubscription(organization.GatewaySubscriptionId));
-        await sutProvider.GetDependency<IStripeAdapter>().SubscriptionUpdateAsync(
+        await sutProvider.GetDependency<IStripeAdapter>().UpdateSubscriptionAsync(
            organization.GatewaySubscriptionId, SubscriptionUpdateRequest(expectedPlanId, subscriptionItem));

        await sutProvider.Sut.AddOrganization(provider.Id, organization.Id, key);
--- a/bitwarden_license/test/Commercial.Core.Test/Billing/Providers/Queries/GetProviderWarningsQueryTests.cs
+++ b/bitwarden_license/test/Commercial.Core.Test/Billing/Providers/Queries/GetProviderWarningsQueryTests.cs
@ -3,7 +3,6 @@ using Bit.Core.AdminConsole.Entities.Provider;
 using Bit.Core.Billing.Constants;
 using Bit.Core.Billing.Services;
 using Bit.Core.Context;
-using Bit.Core.Services;
 using Bit.Test.Common.AutoFixture;
 using Bit.Test.Common.AutoFixture.Attributes;
 using NSubstitute;
@ -58,12 +57,12 @@ public class GetProviderWarningsQueryTests
                Customer = new Customer
                {
                    TaxIds = new StripeList<TaxId> { Data = [] },
-                    Address = new Address { Country = "US" }
+                    Address = new Address { Country = "CA" }
                }
            });

        sutProvider.GetDependency<ICurrentContext>().ProviderProviderAdmin(provider.Id).Returns(true);
-        sutProvider.GetDependency<IStripeAdapter>().TaxRegistrationsListAsync(Arg.Any<RegistrationListOptions>())
+        sutProvider.GetDependency<IStripeAdapter>().ListTaxRegistrationsAsync(Arg.Any<RegistrationListOptions>())
            .Returns(new StripeList<Registration> { Data = [] });

        var response = await sutProvider.Sut.Run(provider);
@ -90,12 +89,12 @@ public class GetProviderWarningsQueryTests
                Customer = new Customer
                {
                    TaxIds = new StripeList<TaxId> { Data = [] },
-                    Address = new Address { Country = "US" }
+                    Address = new Address { Country = "CA" }
                }
            });

        sutProvider.GetDependency<ICurrentContext>().ProviderProviderAdmin(provider.Id).Returns(true);
-        sutProvider.GetDependency<IStripeAdapter>().TaxRegistrationsListAsync(Arg.Any<RegistrationListOptions>())
+        sutProvider.GetDependency<IStripeAdapter>().ListTaxRegistrationsAsync(Arg.Any<RegistrationListOptions>())
            .Returns(new StripeList<Registration> { Data = [] });

        var response = await sutProvider.Sut.Run(provider);
@ -124,12 +123,12 @@ public class GetProviderWarningsQueryTests
                Customer = new Customer
                {
                    TaxIds = new StripeList<TaxId> { Data = [] },
-                    Address = new Address { Country = "US" }
+                    Address = new Address { Country = "CA" }
                }
            });

        sutProvider.GetDependency<ICurrentContext>().ProviderProviderAdmin(provider.Id).Returns(false);
-        sutProvider.GetDependency<IStripeAdapter>().TaxRegistrationsListAsync(Arg.Any<RegistrationListOptions>())
+        sutProvider.GetDependency<IStripeAdapter>().ListTaxRegistrationsAsync(Arg.Any<RegistrationListOptions>())
            .Returns(new StripeList<Registration> { Data = [] });

        var response = await sutProvider.Sut.Run(provider);
@ -158,12 +157,12 @@ public class GetProviderWarningsQueryTests
                Customer = new Customer
                {
                    TaxIds = new StripeList<TaxId> { Data = [] },
-                    Address = new Address { Country = "US" }
+                    Address = new Address { Country = "CA" }
                }
            });

        sutProvider.GetDependency<ICurrentContext>().ProviderProviderAdmin(provider.Id).Returns(true);
-        sutProvider.GetDependency<IStripeAdapter>().TaxRegistrationsListAsync(Arg.Any<RegistrationListOptions>())
+        sutProvider.GetDependency<IStripeAdapter>().ListTaxRegistrationsAsync(Arg.Any<RegistrationListOptions>())
            .Returns(new StripeList<Registration> { Data = [] });

        var response = await sutProvider.Sut.Run(provider);
@ -191,7 +190,7 @@ public class GetProviderWarningsQueryTests
                Customer = new Customer
                {
                    TaxIds = new StripeList<TaxId> { Data = [] },
-                    Address = new Address { Country = "US" }
+                    Address = new Address { Country = "CA" }
                }
            });

@ -219,15 +218,15 @@ public class GetProviderWarningsQueryTests
                Customer = new Customer
                {
                    TaxIds = new StripeList<TaxId> { Data = [] },
-                    Address = new Address { Country = "US" }
+                    Address = new Address { Country = "CA" }
                }
            });

        sutProvider.GetDependency<ICurrentContext>().ProviderProviderAdmin(provider.Id).Returns(true);
-        sutProvider.GetDependency<IStripeAdapter>().TaxRegistrationsListAsync(Arg.Any<RegistrationListOptions>())
+        sutProvider.GetDependency<IStripeAdapter>().ListTaxRegistrationsAsync(Arg.Any<RegistrationListOptions>())
            .Returns(new StripeList<Registration>
            {
-                Data = [new Registration { Country = "CA" }]
+                Data = [new Registration { Country = "GB" }]
            });

        var response = await sutProvider.Sut.Run(provider);
@ -252,15 +251,15 @@ public class GetProviderWarningsQueryTests
                Customer = new Customer
                {
                    TaxIds = new StripeList<TaxId> { Data = [] },
-                    Address = new Address { Country = "US" }
+                    Address = new Address { Country = "CA" }
                }
            });

        sutProvider.GetDependency<ICurrentContext>().ProviderProviderAdmin(provider.Id).Returns(true);
-        sutProvider.GetDependency<IStripeAdapter>().TaxRegistrationsListAsync(Arg.Any<RegistrationListOptions>())
+        sutProvider.GetDependency<IStripeAdapter>().ListTaxRegistrationsAsync(Arg.Any<RegistrationListOptions>())
            .Returns(new StripeList<Registration>
            {
-                Data = [new Registration { Country = "US" }]
+                Data = [new Registration { Country = "CA" }]
            });

        var response = await sutProvider.Sut.Run(provider);
@ -291,15 +290,15 @@ public class GetProviderWarningsQueryTests
                    {
                        Data = [new TaxId { Verification = null }]
                    },
-                    Address = new Address { Country = "US" }
+                    Address = new Address { Country = "CA" }
                }
            });

        sutProvider.GetDependency<ICurrentContext>().ProviderProviderAdmin(provider.Id).Returns(true);
-        sutProvider.GetDependency<IStripeAdapter>().TaxRegistrationsListAsync(Arg.Any<RegistrationListOptions>())
+        sutProvider.GetDependency<IStripeAdapter>().ListTaxRegistrationsAsync(Arg.Any<RegistrationListOptions>())
            .Returns(new StripeList<Registration>
            {
-                Data = [new Registration { Country = "US" }]
+                Data = [new Registration { Country = "CA" }]
            });

        var response = await sutProvider.Sut.Run(provider);
@ -333,15 +332,15 @@ public class GetProviderWarningsQueryTests
                            }
                        }]
                    },
-                    Address = new Address { Country = "US" }
+                    Address = new Address { Country = "CA" }
                }
            });

        sutProvider.GetDependency<ICurrentContext>().ProviderProviderAdmin(provider.Id).Returns(true);
-        sutProvider.GetDependency<IStripeAdapter>().TaxRegistrationsListAsync(Arg.Any<RegistrationListOptions>())
+        sutProvider.GetDependency<IStripeAdapter>().ListTaxRegistrationsAsync(Arg.Any<RegistrationListOptions>())
            .Returns(new StripeList<Registration>
            {
-                Data = [new Registration { Country = "US" }]
+                Data = [new Registration { Country = "CA" }]
            });

        var response = await sutProvider.Sut.Run(provider);
@ -378,15 +377,15 @@ public class GetProviderWarningsQueryTests
                            }
                        }]
                    },
-                    Address = new Address { Country = "US" }
+                    Address = new Address { Country = "CA" }
                }
            });

        sutProvider.GetDependency<ICurrentContext>().ProviderProviderAdmin(provider.Id).Returns(true);
-        sutProvider.GetDependency<IStripeAdapter>().TaxRegistrationsListAsync(Arg.Any<RegistrationListOptions>())
+        sutProvider.GetDependency<IStripeAdapter>().ListTaxRegistrationsAsync(Arg.Any<RegistrationListOptions>())
            .Returns(new StripeList<Registration>
            {
-                Data = [new Registration { Country = "US" }]
+                Data = [new Registration { Country = "CA" }]
            });

        var response = await sutProvider.Sut.Run(provider);
@ -423,15 +422,15 @@ public class GetProviderWarningsQueryTests
                            }
                        }]
                    },
-                    Address = new Address { Country = "US" }
+                    Address = new Address { Country = "CA" }
                }
            });

        sutProvider.GetDependency<ICurrentContext>().ProviderProviderAdmin(provider.Id).Returns(true);
-        sutProvider.GetDependency<IStripeAdapter>().TaxRegistrationsListAsync(Arg.Any<RegistrationListOptions>())
+        sutProvider.GetDependency<IStripeAdapter>().ListTaxRegistrationsAsync(Arg.Any<RegistrationListOptions>())
            .Returns(new StripeList<Registration>
            {
-                Data = [new Registration { Country = "US" }]
+                Data = [new Registration { Country = "CA" }]
            });

        var response = await sutProvider.Sut.Run(provider);
@ -461,7 +460,7 @@ public class GetProviderWarningsQueryTests
            });

        sutProvider.GetDependency<ICurrentContext>().ProviderProviderAdmin(provider.Id).Returns(true);
-        sutProvider.GetDependency<IStripeAdapter>().TaxRegistrationsListAsync(Arg.Is<RegistrationListOptions>(opt => opt.Status == TaxRegistrationStatus.Active))
+        sutProvider.GetDependency<IStripeAdapter>().ListTaxRegistrationsAsync(Arg.Is<RegistrationListOptions>(opt => opt.Status == TaxRegistrationStatus.Active))
            .Returns(new StripeList<Registration>
            {
                Data = [
@ -470,7 +469,7 @@ public class GetProviderWarningsQueryTests
                    new Registration { Country = "FR" }
                ]
            });
-        sutProvider.GetDependency<IStripeAdapter>().TaxRegistrationsListAsync(Arg.Is<RegistrationListOptions>(opt => opt.Status == TaxRegistrationStatus.Scheduled))
+        sutProvider.GetDependency<IStripeAdapter>().ListTaxRegistrationsAsync(Arg.Is<RegistrationListOptions>(opt => opt.Status == TaxRegistrationStatus.Scheduled))
            .Returns(new StripeList<Registration> { Data = [] });

        var response = await sutProvider.Sut.Run(provider);
@ -500,15 +499,15 @@ public class GetProviderWarningsQueryTests
                Customer = new Customer
                {
                    TaxIds = new StripeList<TaxId> { Data = [] },
-                    Address = new Address { Country = "US" }
+                    Address = new Address { Country = "CA" }
                }
            });

        sutProvider.GetDependency<ICurrentContext>().ProviderProviderAdmin(provider.Id).Returns(true);
-        sutProvider.GetDependency<IStripeAdapter>().TaxRegistrationsListAsync(Arg.Any<RegistrationListOptions>())
+        sutProvider.GetDependency<IStripeAdapter>().ListTaxRegistrationsAsync(Arg.Any<RegistrationListOptions>())
            .Returns(new StripeList<Registration>
            {
-                Data = [new Registration { Country = "US" }]
+                Data = [new Registration { Country = "CA" }]
            });

        var response = await sutProvider.Sut.Run(provider);
@ -520,4 +519,37 @@ public class GetProviderWarningsQueryTests
        });
        Assert.Equal(cancelAt, response.Suspension.SubscriptionCancelsAt);
    }
+
+    [Theory, BitAutoData]
+    public async Task Run_USCustomer_NoTaxIdWarning(
+        Provider provider,
+        SutProvider<GetProviderWarningsQuery> sutProvider)
+    {
+        provider.Enabled = true;
+
+        sutProvider.GetDependency<ISubscriberService>()
+            .GetSubscription(provider, Arg.Is<SubscriptionGetOptions>(options =>
+                options.Expand.SequenceEqual(_requiredExpansions)
+            ))
+            .Returns(new Subscription
+            {
+                Status = SubscriptionStatus.Active,
+                Customer = new Customer
+                {
+                    TaxIds = new StripeList<TaxId> { Data = [] },
+                    Address = new Address { Country = "US" }
+                }
+            });
+
+        sutProvider.GetDependency<ICurrentContext>().ProviderProviderAdmin(provider.Id).Returns(true);
+        sutProvider.GetDependency<IStripeAdapter>().ListTaxRegistrationsAsync(Arg.Any<RegistrationListOptions>())
+            .Returns(new StripeList<Registration>
+            {
+                Data = [new Registration { Country = "US" }]
+            });
+
+        var response = await sutProvider.Sut.Run(provider);
+
+        Assert.Null(response!.TaxId);
+    }
 }
--- a/bitwarden_license/test/Commercial.Core.Test/Billing/Providers/Services/BusinessUnitConverterTests.cs
+++ b/bitwarden_license/test/Commercial.Core.Test/Billing/Providers/Services/BusinessUnitConverterTests.cs
@ -18,6 +18,7 @@ using Bit.Core.Enums;
 using Bit.Core.Repositories;
 using Bit.Core.Services;
 using Bit.Core.Settings;
+using Bit.Core.Test.Billing.Mocks;
 using Bit.Core.Utilities;
 using Bit.Test.Common.AutoFixture.Attributes;
 using Microsoft.AspNetCore.DataProtection;
@ -72,7 +73,7 @@ public class BusinessUnitConverterTests
    {
        organization.PlanType = PlanType.EnterpriseAnnually2020;

-        var enterpriseAnnually2020 = StaticStore.GetPlan(PlanType.EnterpriseAnnually2020);
+        var enterpriseAnnually2020 = MockPlans.Get(PlanType.EnterpriseAnnually2020);

        var subscription = new Subscription
        {
@ -134,7 +135,7 @@ public class BusinessUnitConverterTests
        _pricingClient.GetPlanOrThrow(PlanType.EnterpriseAnnually2020)
            .Returns(enterpriseAnnually2020);

-        var enterpriseAnnually = StaticStore.GetPlan(PlanType.EnterpriseAnnually);
+        var enterpriseAnnually = MockPlans.Get(PlanType.EnterpriseAnnually);

        _pricingClient.GetPlanOrThrow(PlanType.EnterpriseAnnually)
            .Returns(enterpriseAnnually);
@ -143,11 +144,11 @@ public class BusinessUnitConverterTests

        await businessUnitConverter.FinalizeConversion(organization, userId, token, providerKey, organizationKey);

-        await _stripeAdapter.Received(2).CustomerUpdateAsync(subscription.CustomerId, Arg.Any<CustomerUpdateOptions>());
+        await _stripeAdapter.Received(2).UpdateCustomerAsync(subscription.CustomerId, Arg.Any<CustomerUpdateOptions>());

        var updatedPriceId = ProviderPriceAdapter.GetActivePriceId(provider, enterpriseAnnually.Type);

-        await _stripeAdapter.Received(1).SubscriptionUpdateAsync(subscription.Id, Arg.Is<SubscriptionUpdateOptions>(
+        await _stripeAdapter.Received(1).UpdateSubscriptionAsync(subscription.Id, Arg.Is<SubscriptionUpdateOptions>(
            arguments =>
                arguments.Items.Count == 2 &&
                arguments.Items[0].Id == "subscription_item_id" &&
@ -242,7 +243,7 @@ public class BusinessUnitConverterTests
            argument.Status == ProviderStatusType.Pending &&
            argument.Type == ProviderType.BusinessUnit)).Returns(provider);

-        var plan = StaticStore.GetPlan(organization.PlanType);
+        var plan = MockPlans.Get(organization.PlanType);

        _pricingClient.GetPlanOrThrow(organization.PlanType).Returns(plan);

--- a/bitwarden_license/test/Commercial.Core.Test/Billing/Providers/Services/ProviderBillingServiceTests.cs
+++ b/bitwarden_license/test/Commercial.Core.Test/Billing/Providers/Services/ProviderBillingServiceTests.cs
--- a/bitwarden_license/test/Commercial.Core.Test/SecretsManager/Queries/Projects/MaxProjectsQueryTests.cs
+++ b/bitwarden_license/test/Commercial.Core.Test/SecretsManager/Queries/Projects/MaxProjectsQueryTests.cs
@ -6,7 +6,7 @@ using Bit.Core.Exceptions;
 using Bit.Core.Repositories;
 using Bit.Core.SecretsManager.Repositories;
 using Bit.Core.Settings;
-using Bit.Core.Utilities;
+using Bit.Core.Test.Billing.Mocks;
 using Bit.Test.Common.AutoFixture;
 using Bit.Test.Common.AutoFixture.Attributes;
 using NSubstitute;
@ -69,7 +69,7 @@ public class MaxProjectsQueryTests
        sutProvider.GetDependency<IOrganizationRepository>().GetByIdAsync(organization.Id).Returns(organization);

        sutProvider.GetDependency<IPricingClient>().GetPlan(organization.PlanType)
-            .Returns(StaticStore.GetPlan(organization.PlanType));
+            .Returns(MockPlans.Get(organization.PlanType));

        var (limit, overLimit) = await sutProvider.Sut.GetByOrgIdAsync(organization.Id, 1);

@ -114,7 +114,7 @@ public class MaxProjectsQueryTests
            .Returns(projects);

        sutProvider.GetDependency<IPricingClient>().GetPlan(organization.PlanType)
-            .Returns(StaticStore.GetPlan(organization.PlanType));
+            .Returns(MockPlans.Get(organization.PlanType));

        var (max, overMax) = await sutProvider.Sut.GetByOrgIdAsync(organization.Id, projectsToAdd);

--- a/bitwarden_license/test/Commercial.Core.Test/SecretsManager/Repositories/SecretVersionRepositoryTests.cs
+++ b/bitwarden_license/test/Commercial.Core.Test/SecretsManager/Repositories/SecretVersionRepositoryTests.cs
@ -0,0 +1,130 @@
+using Bit.Core.SecretsManager.Entities;
+using Bit.Test.Common.AutoFixture.Attributes;
+using Xunit;
+
+namespace Bit.Commercial.Core.Test.SecretsManager.Repositories;
+
+public class SecretVersionRepositoryTests
+{
+    [Theory]
+    [BitAutoData]
+    public void SecretVersion_EntityCreation_Success(SecretVersion secretVersion)
+    {
+        // Arrange & Act
+        secretVersion.SetNewId();
+
+        // Assert
+        Assert.NotEqual(Guid.Empty, secretVersion.Id);
+        Assert.NotEqual(Guid.Empty, secretVersion.SecretId);
+        Assert.NotNull(secretVersion.Value);
+        Assert.NotEqual(default, secretVersion.VersionDate);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public void SecretVersion_WithServiceAccountEditor_Success(SecretVersion secretVersion, Guid serviceAccountId)
+    {
+        // Arrange & Act
+        secretVersion.EditorServiceAccountId = serviceAccountId;
+        secretVersion.EditorOrganizationUserId = null;
+
+        // Assert
+        Assert.Equal(serviceAccountId, secretVersion.EditorServiceAccountId);
+        Assert.Null(secretVersion.EditorOrganizationUserId);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public void SecretVersion_WithOrganizationUserEditor_Success(SecretVersion secretVersion, Guid organizationUserId)
+    {
+        // Arrange & Act
+        secretVersion.EditorOrganizationUserId = organizationUserId;
+        secretVersion.EditorServiceAccountId = null;
+
+        // Assert
+        Assert.Equal(organizationUserId, secretVersion.EditorOrganizationUserId);
+        Assert.Null(secretVersion.EditorServiceAccountId);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public void SecretVersion_NullableEditors_Success(SecretVersion secretVersion)
+    {
+        // Arrange & Act
+        secretVersion.EditorServiceAccountId = null;
+        secretVersion.EditorOrganizationUserId = null;
+
+        // Assert
+        Assert.Null(secretVersion.EditorServiceAccountId);
+        Assert.Null(secretVersion.EditorOrganizationUserId);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public void SecretVersion_VersionDateSet_Success(SecretVersion secretVersion)
+    {
+        // Arrange
+        var versionDate = DateTime.UtcNow;
+
+        // Act
+        secretVersion.VersionDate = versionDate;
+
+        // Assert
+        Assert.Equal(versionDate, secretVersion.VersionDate);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public void SecretVersion_ValueEncrypted_Success(SecretVersion secretVersion, string encryptedValue)
+    {
+        // Arrange & Act
+        secretVersion.Value = encryptedValue;
+
+        // Assert
+        Assert.Equal(encryptedValue, secretVersion.Value);
+        Assert.NotEmpty(secretVersion.Value);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public void SecretVersion_MultipleVersions_DifferentIds(List<SecretVersion> secretVersions, Guid secretId)
+    {
+        // Arrange & Act
+        foreach (var version in secretVersions)
+        {
+            version.SecretId = secretId;
+            version.SetNewId();
+        }
+
+        // Assert
+        var distinctIds = secretVersions.Select(v => v.Id).Distinct();
+        Assert.Equal(secretVersions.Count, distinctIds.Count());
+        Assert.All(secretVersions, v => Assert.Equal(secretId, v.SecretId));
+    }
+
+    [Theory]
+    [BitAutoData]
+    public void SecretVersion_VersionDateOrdering_Success(SecretVersion version1, SecretVersion version2, SecretVersion version3, Guid secretId)
+    {
+        // Arrange
+        var now = DateTime.UtcNow;
+        version1.SecretId = secretId;
+        version1.VersionDate = now.AddDays(-2);
+
+        version2.SecretId = secretId;
+        version2.VersionDate = now.AddDays(-1);
+
+        version3.SecretId = secretId;
+        version3.VersionDate = now;
+
+        var versions = new List<SecretVersion> { version2, version3, version1 };
+
+        // Act
+        var orderedVersions = versions.OrderByDescending(v => v.VersionDate).ToList();
+
+        // Assert
+        Assert.Equal(version3.Id, orderedVersions[0].Id); // Most recent
+        Assert.Equal(version2.Id, orderedVersions[1].Id);
+        Assert.Equal(version1.Id, orderedVersions[2].Id); // Oldest
+    }
+}
--- a/bitwarden_license/test/SSO.Test/Controllers/AccountControllerTest.cs
+++ b/bitwarden_license/test/SSO.Test/Controllers/AccountControllerTest.cs
--- a/bitwarden_license/test/SSO.Test/SSO.Test.csproj
+++ b/bitwarden_license/test/SSO.Test/SSO.Test.csproj
@ -0,0 +1,35 @@
+<Project Sdk="Microsoft.NET.Sdk">
+
+    <PropertyGroup>
+        <TargetFramework>net8.0</TargetFramework>
+        <ImplicitUsings>enable</ImplicitUsings>
+        <Nullable>enable</Nullable>
+
+        <IsPackable>false</IsPackable>
+        <IsTestProject>true</IsTestProject>
+    </PropertyGroup>
+
+    <ItemGroup>
+      <PackageReference Include="Microsoft.NET.Test.Sdk" Version="$(MicrosoftNetTestSdkVersion)" />
+      <PackageReference Include="xunit" Version="$(XUnitVersion)" />
+      <PackageReference Include="xunit.runner.visualstudio" Version="$(XUnitRunnerVisualStudioVersion)">
+        <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
+        <PrivateAssets>all</PrivateAssets>
+      </PackageReference>
+      <PackageReference Include="coverlet.collector" Version="$(CoverletCollectorVersion)">
+        <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
+        <PrivateAssets>all</PrivateAssets>
+      </PackageReference>
+      <PackageReference Include="NSubstitute" Version="$(NSubstituteVersion)" />
+    </ItemGroup>
+
+    <ItemGroup>
+        <Using Include="Xunit"/>
+    </ItemGroup>
+
+    <ItemGroup>
+      <ProjectReference Include="..\..\src\Sso\Sso.csproj" />
+      <ProjectReference Include="..\..\..\test\Common\Common.csproj" />
+    </ItemGroup>
+
+</Project>
--- a/bitwarden_license/test/Scim.IntegrationTest/Controllers/v2/GroupsControllerTests.cs
+++ b/bitwarden_license/test/Scim.IntegrationTest/Controllers/v2/GroupsControllerTests.cs
@ -200,6 +200,38 @@ public class GroupsControllerTests : IClassFixture<ScimApplicationFactory>, IAsy
        AssertHelper.AssertPropertyEqual(expectedResponse, responseModel);
    }

+    [Fact]
+    public async Task GetList_SearchDisplayNameWithoutOptionalParameters_Success()
+    {
+        string filter = "displayName eq Test Group 2";
+        int? itemsPerPage = null;
+        int? startIndex = null;
+        var expectedResponse = new ScimListResponseModel<ScimGroupResponseModel>
+        {
+            ItemsPerPage = 50, //default value
+            TotalResults = 1,
+            StartIndex = 1, //default value
+            Resources = new List<ScimGroupResponseModel>
+            {
+                new ScimGroupResponseModel
+                {
+                    Id = ScimApplicationFactory.TestGroupId2,
+                    DisplayName = "Test Group 2",
+                    ExternalId = "B",
+                    Schemas = new List<string> { ScimConstants.Scim2SchemaGroup }
+                }
+            },
+            Schemas = new List<string> { ScimConstants.Scim2SchemaListResponse }
+        };
+
+        var context = await _factory.GroupsGetListAsync(ScimApplicationFactory.TestOrganizationId1, filter, itemsPerPage, startIndex);
+
+        Assert.Equal(StatusCodes.Status200OK, context.Response.StatusCode);
+
+        var responseModel = JsonSerializer.Deserialize<ScimListResponseModel<ScimGroupResponseModel>>(context.Response.Body, new JsonSerializerOptions { PropertyNamingPolicy = JsonNamingPolicy.CamelCase });
+        AssertHelper.AssertPropertyEqual(expectedResponse, responseModel);
+    }
+
    [Fact]
    public async Task Post_Success()
    {
--- a/bitwarden_license/test/Scim.IntegrationTest/appsettings.Development.json
+++ b/bitwarden_license/test/Scim.IntegrationTest/appsettings.Development.json
@ -0,0 +1,36 @@
+{
+  "globalSettings": {
+    "baseServiceUri": {
+      "vault": "https://localhost:8080",
+      "api": "http://localhost:4000",
+      "identity": "http://localhost:33656",
+      "admin": "http://localhost:62911",
+      "notifications": "http://localhost:61840",
+      "sso": "http://localhost:51822",
+      "internalNotifications": "http://localhost:61840",
+      "internalAdmin": "http://localhost:62911",
+      "internalIdentity": "http://localhost:33656",
+      "internalApi": "http://localhost:4000",
+      "internalVault": "https://localhost:8080",
+      "internalSso": "http://localhost:51822",
+      "internalScim": "http://localhost:44559"
+    },
+    "mail": {
+      "smtp": {
+        "host": "localhost",
+        "port": 10250
+      }
+    },
+    "attachment": {
+      "connectionString": "UseDevelopmentStorage=true",
+      "baseUrl": "http://localhost:4000/attachments/"
+    },
+    "events": {
+      "connectionString": "UseDevelopmentStorage=true"
+    },
+    "storage": {
+      "connectionString": "UseDevelopmentStorage=true"
+    },
+    "pricingUri": "https://billingpricing.qa.bitwarden.pw"
+  }
+}
--- a/bitwarden_license/test/Scim.Test/Groups/GetGroupsListQueryTests.cs
+++ b/bitwarden_license/test/Scim.Test/Groups/GetGroupsListQueryTests.cs
@ -1,6 +1,7 @@
 using Bit.Core.AdminConsole.Entities;
 using Bit.Core.AdminConsole.Repositories;
 using Bit.Scim.Groups;
+using Bit.Scim.Models;
 using Bit.Test.Common.AutoFixture;
 using Bit.Test.Common.AutoFixture.Attributes;
 using Bit.Test.Common.Helpers;
@ -24,7 +25,7 @@ public class GetGroupsListCommandTests
            .GetManyByOrganizationIdAsync(organizationId)
            .Returns(groups);

-        var result = await sutProvider.Sut.GetGroupsListAsync(organizationId, null, count, startIndex);
+        var result = await sutProvider.Sut.GetGroupsListAsync(organizationId, new GetGroupsQueryParamModel { Count = count, StartIndex = startIndex });

        AssertHelper.AssertPropertyEqual(groups.Skip(startIndex - 1).Take(count).ToList(), result.groupList);
        AssertHelper.AssertPropertyEqual(groups.Count, result.totalResults);
@ -47,7 +48,7 @@ public class GetGroupsListCommandTests
            .GetManyByOrganizationIdAsync(organizationId)
            .Returns(groups);

-        var result = await sutProvider.Sut.GetGroupsListAsync(organizationId, filter, null, null);
+        var result = await sutProvider.Sut.GetGroupsListAsync(organizationId, new GetGroupsQueryParamModel { Filter = filter });

        AssertHelper.AssertPropertyEqual(expectedGroupList, result.groupList);
        AssertHelper.AssertPropertyEqual(expectedTotalResults, result.totalResults);
@ -67,7 +68,7 @@ public class GetGroupsListCommandTests
            .GetManyByOrganizationIdAsync(organizationId)
            .Returns(groups);

-        var result = await sutProvider.Sut.GetGroupsListAsync(organizationId, filter, null, null);
+        var result = await sutProvider.Sut.GetGroupsListAsync(organizationId, new GetGroupsQueryParamModel { Filter = filter });

        AssertHelper.AssertPropertyEqual(expectedGroupList, result.groupList);
        AssertHelper.AssertPropertyEqual(expectedTotalResults, result.totalResults);
@ -90,7 +91,7 @@ public class GetGroupsListCommandTests
            .GetManyByOrganizationIdAsync(organizationId)
            .Returns(groups);

-        var result = await sutProvider.Sut.GetGroupsListAsync(organizationId, filter, null, null);
+        var result = await sutProvider.Sut.GetGroupsListAsync(organizationId, new GetGroupsQueryParamModel { Filter = filter });

        AssertHelper.AssertPropertyEqual(expectedGroupList, result.groupList);
        AssertHelper.AssertPropertyEqual(expectedTotalResults, result.totalResults);
@ -112,7 +113,7 @@ public class GetGroupsListCommandTests
            .GetManyByOrganizationIdAsync(organizationId)
            .Returns(groups);

-        var result = await sutProvider.Sut.GetGroupsListAsync(organizationId, filter, null, null);
+        var result = await sutProvider.Sut.GetGroupsListAsync(organizationId, new GetGroupsQueryParamModel { Filter = filter });

        AssertHelper.AssertPropertyEqual(expectedGroupList, result.groupList);
        AssertHelper.AssertPropertyEqual(expectedTotalResults, result.totalResults);
--- a/bitwarden_license/test/Scim.Test/Groups/PatchGroupCommandTests.cs
+++ b/bitwarden_license/test/Scim.Test/Groups/PatchGroupCommandTests.cs
@ -436,7 +436,7 @@ public class PatchGroupCommandTests
        await sutProvider.GetDependency<IGroupService>().DidNotReceiveWithAnyArgs().DeleteUserAsync(default, default);

        // Assert: logging
-        sutProvider.GetDependency<ILogger<PatchGroupCommand>>().ReceivedWithAnyArgs().LogWarning(default);
+        sutProvider.GetDependency<ILogger<PatchGroupCommand>>().ReceivedWithAnyArgs().LogWarning("");
    }

    [Theory]
--- a/bitwarden_license/test/Scim.Test/Users/GetUsersListQueryTests.cs
+++ b/bitwarden_license/test/Scim.Test/Users/GetUsersListQueryTests.cs
@ -1,5 +1,6 @@
 using Bit.Core.Models.Data.Organizations.OrganizationUsers;
 using Bit.Core.Repositories;
+using Bit.Scim.Models;
 using Bit.Scim.Users;
 using Bit.Test.Common.AutoFixture;
 using Bit.Test.Common.AutoFixture.Attributes;
--- a/bitwarden_license/test/Scim.Test/Users/PatchUserCommandTests.cs
+++ b/bitwarden_license/test/Scim.Test/Users/PatchUserCommandTests.cs
@ -1,6 +1,6 @@
 using System.Text.Json;
-using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Interfaces;
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.RestoreUser.v1;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.RevokeUser.v1;
 using Bit.Core.Entities;
 using Bit.Core.Enums;
 using Bit.Core.Exceptions;
--- a/bitwarden_license/test/Scim.Test/Users/PostUserCommandTests.cs
+++ b/bitwarden_license/test/Scim.Test/Users/PostUserCommandTests.cs
@ -1,4 +1,5 @@
 using Bit.Core.AdminConsole.Entities;
+using Bit.Core.Billing.Services;
 using Bit.Core.Enums;
 using Bit.Core.Exceptions;
 using Bit.Core.Models.Business;
@ -36,7 +37,7 @@ public class PostUserCommandTests

        sutProvider.GetDependency<IOrganizationRepository>().GetByIdAsync(organizationId).Returns(organization);

-        sutProvider.GetDependency<IPaymentService>().HasSecretsManagerStandalone(organization).Returns(true);
+        sutProvider.GetDependency<IStripePaymentService>().HasSecretsManagerStandalone(organization).Returns(true);

        sutProvider.GetDependency<IOrganizationService>()
            .InviteUserAsync(organizationId,
--- a/bitwarden_license/test/Sso.IntegrationTest/Controllers/AccountControllerTests.cs
+++ b/bitwarden_license/test/Sso.IntegrationTest/Controllers/AccountControllerTests.cs
@ -0,0 +1,952 @@
+using System.Net;
+using Bit.Core;
+using Bit.Core.AdminConsole.Entities;
+using Bit.Core.Auth.Entities;
+using Bit.Core.Auth.Models.Data;
+using Bit.Core.Auth.Repositories;
+using Bit.Core.Entities;
+using Bit.Core.Enums;
+using Bit.Core.Repositories;
+using Bit.Core.Services;
+using Bit.Sso.IntegrationTest.Utilities;
+using Bit.Test.Common.AutoFixture.Attributes;
+using Bitwarden.License.Test.Sso.IntegrationTest.Utilities;
+using Microsoft.AspNetCore.Authentication;
+using Microsoft.AspNetCore.Identity;
+using Microsoft.AspNetCore.Mvc.Testing;
+using NSubstitute;
+using Xunit;
+using AuthenticationSchemes = Bit.Core.AuthenticationSchemes;
+
+namespace Bit.Sso.IntegrationTest.Controllers;
+
+public class AccountControllerTests(SsoApplicationFactory factory) : IClassFixture<SsoApplicationFactory>
+{
+    private readonly SsoApplicationFactory _factory = factory;
+
+    /*
+    * Test to verify the /Account/ExternalCallback endpoint exists and is reachable.
+    */
+    [Fact]
+    public async Task ExternalCallback_EndpointExists_ReturnsExpectedStatusCode()
+    {
+        // Arrange
+        var client = _factory.CreateClient();
+
+        // Act - Verify the endpoint is accessible (even if it fails due to missing auth)
+        var response = await client.GetAsync("/Account/ExternalCallback");
+
+        // Assert - The endpoint should exist and return 500 (not 404) due to missing authentication
+        Assert.NotEqual(HttpStatusCode.NotFound, response.StatusCode);
+    }
+
+    /*
+    * Test to verify calling /Account/ExternalCallback without an authentication cookie
+    * results in an error as expected.
+    */
+    [Fact]
+    public async Task ExternalCallback_WithNoAuthenticationCookie_ReturnsError()
+    {
+        // Arrange
+        var client = _factory.CreateClient();
+
+        // Act - Call ExternalCallback without proper authentication setup
+        var response = await client.GetAsync("/Account/ExternalCallback");
+
+        // Assert - Should fail because there's no external authentication cookie
+        Assert.False(response.IsSuccessStatusCode);
+        // The endpoint will throw an exception when authentication fails
+        Assert.Equal(HttpStatusCode.InternalServerError, response.StatusCode);
+    }
+
+    /*
+    * Test to verify behavior of /Account/ExternalCallback with PM24579 feature flag
+    */
+    [Theory]
+    [BitAutoData(true)]
+    [BitAutoData(false)]
+    public async Task ExternalCallback_WithPM24579FeatureFlag_AndNoAuthCookie_ReturnsError
+    (
+        bool featureFlagEnabled
+    )
+    {
+        // Arrange
+        var client = _factory.WithWebHostBuilder(builder =>
+        {
+            builder.ConfigureServices(services =>
+            {
+                var featureService = Substitute.For<IFeatureService>();
+                featureService.IsEnabled(FeatureFlagKeys.PM24579_PreventSsoOnExistingNonCompliantUsers).Returns(featureFlagEnabled);
+                services.AddSingleton(featureService);
+            });
+        }).CreateClient();
+
+        // Act
+        var response = await client.GetAsync("/Account/ExternalCallback");
+
+        // Assert
+        Assert.False(response.IsSuccessStatusCode);
+        Assert.Equal(HttpStatusCode.InternalServerError, response.StatusCode);
+    }
+
+    /*
+    * Test to verify behavior of /Account/ExternalCallback simulating failed authentication.
+    */
+    [Fact]
+    public async Task ExternalCallback_WithMockedAuthenticationService_FailedAuth_ReturnsError()
+    {
+        // Arrange
+        var testData = await new SsoTestDataBuilder()
+            .WithFailedAuthentication()
+            .BuildAsync();
+
+        var client = testData.Factory.CreateClient();
+
+        // Act
+        var response = await client.GetAsync("/Account/ExternalCallback");
+
+        // Assert
+        Assert.False(response.IsSuccessStatusCode);
+    }
+
+    /*
+    * Test to verify /Account/ExternalCallback returns error when SSO config exists but is disabled.
+    */
+    [Fact]
+    public async Task ExternalCallback_WithDisabledSsoConfig_ReturnsError()
+    {
+        // Arrange
+        var testData = await new SsoTestDataBuilder()
+            .WithSsoConfig(ssoConfig => ssoConfig!.Enabled = false)
+            .BuildAsync();
+
+        var client = testData.Factory.CreateClient();
+
+        // Act
+        var response = await client.GetAsync("/Account/ExternalCallback");
+
+        // Assert - Should fail because SSO config is disabled
+        var stringResponse = await response.Content.ReadAsStringAsync();
+        Assert.Contains("Organization not found or SSO configuration not enabled", stringResponse);
+        Assert.Equal(HttpStatusCode.InternalServerError, response.StatusCode);
+    }
+
+    [Fact]
+    public async Task ExternalCallback_FindUserFromExternalProviderAsync_OrganizationOrSsoConfigNotFound_ReturnsError()
+    {
+        // Arrange
+        var testData = await new SsoTestDataBuilder()
+            .BuildAsync();
+
+        var client = testData.Factory.CreateClient();
+
+        // Act
+        var response = await client.GetAsync("/Account/ExternalCallback");
+
+        // Assert - Should fail because user has invalid status
+        var stringResponse = await response.Content.ReadAsStringAsync();
+        Assert.Contains("Organization not found or SSO configuration not enabled", stringResponse);
+        Assert.Equal(HttpStatusCode.InternalServerError, response.StatusCode);
+    }
+
+    /*
+    * Test to verify /Account/ExternalCallback returns error when SSO config expects an ACR value
+    * but the authentication response has a missing or invalid ACR claim.
+    */
+    [Fact]
+    public async Task ExternalCallback_WithExpectedAcrValue_AndInvalidAcr_ReturnsError()
+    {
+        // Arrange
+        var testData = await new SsoTestDataBuilder()
+        .WithSsoConfig(ssoConfig => ssoConfig!.SetData(
+            new SsoConfigurationData
+            {
+                ExpectedReturnAcrValue = "urn:expected:acr:value"
+            }))
+            .BuildAsync();
+
+        var client = testData.Factory.CreateClient();
+
+        // Act
+        var response = await client.GetAsync("/Account/ExternalCallback");
+
+        // Assert - Should fail because ACR claim is missing or invalid
+        var stringResponse = await response.Content.ReadAsStringAsync();
+        Assert.Contains("Expected authentication context class reference (acr) was not returned with the authentication response or is invalid", stringResponse);
+        Assert.Equal(HttpStatusCode.InternalServerError, response.StatusCode);
+    }
+
+    /*
+    * Test to verify /Account/ExternalCallback returns error when the authentication response
+    * does not contain any recognizable user ID claim (sub, NameIdentifier, uid, upn, eppn).
+    */
+    [Fact]
+    public async Task ExternalCallback_WithNoUserIdClaim_ReturnsError()
+    {
+        // Arrange
+        var testData = await new SsoTestDataBuilder()
+            .WithSsoConfig()
+            .OmitProviderUserId()
+            .BuildAsync();
+
+        var client = testData.Factory.CreateClient();
+
+        // Act
+        var response = await client.GetAsync("/Account/ExternalCallback"); ;
+
+        // Assert - Should fail because no user ID claim was found
+        var stringResponse = await response.Content.ReadAsStringAsync();
+        Assert.Contains("Unknown userid", stringResponse);
+        Assert.Equal(HttpStatusCode.InternalServerError, response.StatusCode);
+    }
+
+    /*
+    * Test to verify /Account/ExternalCallback returns error when no email claim is found
+    * and the providerUserId cannot be used as a fallback email (doesn't contain @).
+    */
+    [Fact]
+    public async Task ExternalCallback_WithNoEmailClaim_ReturnsError()
+    {
+        // Arrange
+        var testData = await new SsoTestDataBuilder()
+            .WithSsoConfig()
+            .WithNullEmail()
+            .BuildAsync();
+
+        var client = testData.Factory.CreateClient();
+
+        // Act
+        var response = await client.GetAsync("/Account/ExternalCallback");
+
+        // Assert - Should fail because no email claim was found
+        var stringResponse = await response.Content.ReadAsStringAsync();
+        Assert.Contains("Cannot find email claim", stringResponse);
+        Assert.Equal(HttpStatusCode.InternalServerError, response.StatusCode);
+    }
+
+    /*
+    * Test to verify /Account/ExternalCallback returns error when an existing user
+    * uses Key Connector but has no org user record (was removed from organization).
+    */
+    [Fact]
+    public async Task ExternalCallback_WithExistingKeyConnectorUser_AndNoOrgUser_ReturnsError()
+    {
+        // Arrange
+        var testData = await new SsoTestDataBuilder()
+            .WithSsoConfig()
+            .WithUser(user =>
+            {
+                user.UsesKeyConnector = true;
+            })
+            .BuildAsync();
+
+        var client = testData.Factory.CreateClient();
+
+        // Act
+        var response = await client.GetAsync("/Account/ExternalCallback");
+
+        // Assert - Should fail because user uses Key Connector but has no org user record
+        var stringResponse = await response.Content.ReadAsStringAsync();
+        Assert.Contains("You were removed from the organization managing single sign-on for your account", stringResponse);
+        Assert.Equal(HttpStatusCode.InternalServerError, response.StatusCode);
+    }
+
+    /*
+    * Test to verify /Account/ExternalCallback returns error when an existing user
+    * uses Key Connector and has an org user record in the invited status.
+    */
+    [Fact]
+    public async Task ExternalCallback_WithExistingKeyConnectorUser_AndInvitedOrgUser_ReturnsError()
+    {
+        // Arrange
+        var testData = await new SsoTestDataBuilder()
+            .WithSsoConfig(ssoConfig => { })
+            .WithUser(user =>
+            {
+                user.UsesKeyConnector = true;
+            })
+            .WithOrganizationUser(orgUser =>
+            {
+                orgUser.Status = OrganizationUserStatusType.Invited;
+            })
+            .BuildAsync();
+
+        var client = testData.Factory.CreateClient();
+
+        // Act
+        var response = await client.GetAsync("/Account/ExternalCallback");
+
+        // Assert - Should fail because user uses Key Connector but the Org user is in the invited status
+        var stringResponse = await response.Content.ReadAsStringAsync();
+        Assert.Contains("You were removed from the organization managing single sign-on for your account", stringResponse);
+        Assert.Equal(HttpStatusCode.InternalServerError, response.StatusCode);
+    }
+
+    /*
+    * Test to verify /Account/ExternalCallback returns error when an existing user
+    * (not using Key Connector) has no org user record - they were removed from the organization.
+    */
+    [Fact]
+    public async Task ExternalCallback_WithExistingUser_AndNoOrgUser_ReturnsError()
+    {
+        // Arrange
+        var testData = await new SsoTestDataBuilder()
+            .WithSsoConfig()
+            .WithUser()
+            .BuildAsync();
+
+        var client = testData.Factory.CreateClient();
+
+        // Act
+        var response = await client.GetAsync("/Account/ExternalCallback");
+
+        // Assert - Should fail because user exists but has no org user record
+        var stringResponse = await response.Content.ReadAsStringAsync();
+        Assert.Contains("You were removed from the organization managing single sign-on for your account. Contact the organization administrator", stringResponse);
+        Assert.Equal(HttpStatusCode.InternalServerError, response.StatusCode);
+    }
+
+    /*
+    * Test to verify /Account/ExternalCallback returns error when an existing user
+    * has an org user record with Invited status - they must accept the invite first.
+    */
+    [Fact]
+    public async Task ExternalCallback_WithExistingUser_AndInvitedOrgUserStatus_ReturnsError()
+    {
+        // Arrange
+        var testData = await new SsoTestDataBuilder()
+            .WithSsoConfig()
+            .WithUser()
+            .WithOrganizationUser(orgUser =>
+            {
+                orgUser.Status = OrganizationUserStatusType.Invited;
+            })
+            .BuildAsync();
+
+        var client = testData.Factory.CreateClient();
+
+        // Act
+        var response = await client.GetAsync("/Account/ExternalCallback");
+
+        // Assert - Should fail because user must accept invite before using SSO
+        var stringResponse = await response.Content.ReadAsStringAsync();
+        Assert.Contains("you must first log in using your master password", stringResponse);
+        Assert.Equal(HttpStatusCode.InternalServerError, response.StatusCode);
+    }
+
+    /*
+    * Test to verify /Account/ExternalCallback returns error when organization has no available seats
+    * and cannot auto-scale because it's a self-hosted instance.
+    */
+    [Fact]
+    public async Task ExternalCallback_WithNoAvailableSeats_OnSelfHosted_ReturnsError()
+    {
+        var testData = await new SsoTestDataBuilder()
+            .WithSsoConfig()
+            .WithOrganization(org =>
+            {
+                org.Seats = 5; // Organization has seat limit
+            })
+            .AsSelfHosted()
+            .BuildAsync();
+
+        var client = testData.Factory.CreateClient();
+
+        // Act
+        var response = await client.GetAsync("/Account/ExternalCallback");
+
+        // Assert - Should fail because no seats available and cannot auto-scale on self-hosted
+        var stringResponse = await response.Content.ReadAsStringAsync();
+        Assert.Contains("No seats available for organization", stringResponse);
+        Assert.Equal(HttpStatusCode.InternalServerError, response.StatusCode);
+    }
+
+    /*
+    * Test to verify /Account/ExternalCallback returns error when organization has no available seats
+    * and auto-scaling fails (e.g., billing issue, max seats reached).
+    */
+    [Fact]
+    public async Task ExternalCallback_WithNoAvailableSeats_AndAutoAddSeatsFails_ReturnsError()
+    {
+        var testData = await new SsoTestDataBuilder()
+            .WithSsoConfig()
+            .WithOrganization(org =>
+            {
+                org.Seats = 5;
+                org.MaxAutoscaleSeats = 5;
+            })
+            .BuildAsync();
+
+        var client = testData.Factory.CreateClient();
+
+        // Act
+        var response = await client.GetAsync("/Account/ExternalCallback");
+
+        // Assert - Should fail because auto-adding seats failed
+        var stringResponse = await response.Content.ReadAsStringAsync();
+        Assert.Contains("No seats available for organization", stringResponse);
+        Assert.Equal(HttpStatusCode.InternalServerError, response.StatusCode);
+    }
+
+    /*
+    * Test to verify /Account/ExternalCallback returns error when email cannot be found
+    * during new user provisioning (Scenario 2) after bypassing the first email check
+    * via manual linking path (userIdentifier is set).
+    */
+    [Fact]
+    public async Task ExternalCallback_WithUserIdentifier_AndNoEmail_ReturnsError()
+    {
+        // Arrange
+        var testData = await new SsoTestDataBuilder()
+            .WithSsoConfig()
+            .WithUserIdentifier("")
+            .WithNullEmail()
+            .BuildAsync();
+
+        var client = testData.Factory.CreateClient();
+
+        // Act
+        var response = await client.GetAsync("/Account/ExternalCallback");
+
+        // Assert - Should fail because email cannot be found during new user provisioning
+        var stringResponse = await response.Content.ReadAsStringAsync();
+        Assert.Contains("Cannot find email claim", stringResponse);
+        Assert.Equal(HttpStatusCode.InternalServerError, response.StatusCode);
+    }
+
+    /*
+    * Test to verify /Account/ExternalCallback returns error when org user has an unknown/invalid status.
+    * This tests defensive code that handles future enum values or data corruption scenarios.
+    * We simulate this by casting an invalid integer to OrganizationUserStatusType.
+    */
+    [Fact]
+    public async Task ExternalCallback_WithUnknownOrgUserStatus_ReturnsError()
+    {
+        // Arrange
+        var testData = await new SsoTestDataBuilder()
+            .WithSsoConfig()
+            .WithUser()
+            .WithOrganizationUser(orgUser =>
+            {
+                orgUser.Status = (OrganizationUserStatusType)99; // Invalid enum value - simulates future status or data corruption
+            })
+            .BuildAsync();
+
+        var client = testData.Factory.CreateClient();
+
+        // Act
+        var response = await client.GetAsync("/Account/ExternalCallback");
+
+        // Assert - Should fail because org user status is unknown/invalid
+        var stringResponse = await response.Content.ReadAsStringAsync();
+        Assert.Contains("is in an unknown state", stringResponse);
+        Assert.Equal(HttpStatusCode.InternalServerError, response.StatusCode);
+    }
+
+    // Note: "User should be found ln 304" appears to be unreachable defensive code.
+    // CreateUserAndOrgUserConditionallyAsync always returns a non-null user or throws an exception,
+    // so possibleSsoLinkedUser cannot be null when the feature flag check executes.
+
+    /*
+    * Test to verify /Account/ExternalCallback returns error when userIdentifier
+    * is malformed (doesn't contain comma separator for userId,token format).
+    * There is only a single test case here but in the future we may need to expand the
+    * tests to cover other invalid formats.
+    */
+    [Theory]
+    [BitAutoData("No-Comas-Identifier")]
+    public async Task ExternalCallback_WithInvalidUserIdentifierFormat_ReturnsError(
+        string UserIdentifier
+    )
+    {
+        // Arrange
+        var testData = await new SsoTestDataBuilder()
+            .WithSsoConfig()
+            .WithUserIdentifier(UserIdentifier)
+            .BuildAsync();
+
+        var client = testData.Factory.CreateClient();
+
+        // Act
+        var response = await client.GetAsync("/Account/ExternalCallback");
+
+        // Assert - Should fail because userIdentifier format is invalid
+        var stringResponse = await response.Content.ReadAsStringAsync();
+        Assert.Contains("Invalid user identifier", stringResponse);
+        Assert.Equal(HttpStatusCode.InternalServerError, response.StatusCode);
+    }
+
+    /*
+    * Test to verify /Account/ExternalCallback returns error when userIdentifier
+    * contains valid userId but invalid/mismatched token.
+    *
+    * NOTE: This test uses the substitute pattern instead of SsoTestDataBuilder because:
+    * - The userIdentifier in the auth result must contain a userId that matches a user in the system
+    * - User.SetNewId() always overwrites the Id (unlike Organization.SetNewId() which has a guard)
+    * - This means we cannot pre-set a User.Id before database insertion
+    * - The auth mock must be configured BEFORE accessing factory.Services (required by SubstituteService)
+    * - Therefore, we cannot coordinate the userId between the auth mock and the seeded user
+    * - Using substitutes allows us to control the exact userId and mock UserManager.VerifyUserTokenAsync
+    */
+    [Fact]
+    public async Task ExternalCallback_WithUserIdentifier_AndInvalidToken_ReturnsError()
+    {
+        // Arrange
+        var organizationId = Guid.NewGuid();
+        var providerUserId = Guid.NewGuid().ToString();
+        var userId = Guid.NewGuid();
+        var testEmail = "test_user@integration.test";
+        var testName = "Test User";
+        // Valid format but token won't verify
+        var userIdentifier = $"{userId},invalid-token";
+
+        var claimedUser = new User
+        {
+            Id = userId,
+            Email = testEmail,
+            Name = testName
+        };
+
+        var organization = new Organization
+        {
+            Id = organizationId,
+            Name = "Test Organization",
+            Enabled = true,
+            UseSso = true
+        };
+
+        var ssoConfig = new SsoConfig
+        {
+            OrganizationId = organizationId,
+            Enabled = true
+        };
+        ssoConfig.SetData(new SsoConfigurationData());
+
+        var client = _factory.WithWebHostBuilder(builder =>
+        {
+            builder.ConfigureServices(services =>
+            {
+                var featureService = Substitute.For<IFeatureService>();
+                featureService.IsEnabled(FeatureFlagKeys.PM24579_PreventSsoOnExistingNonCompliantUsers).Returns(true);
+                services.AddSingleton(featureService);
+
+                // Mock organization repository
+                var orgRepo = Substitute.For<IOrganizationRepository>();
+                orgRepo.GetByIdAsync(organizationId).Returns(organization);
+                orgRepo.GetByIdentifierAsync(organizationId.ToString()).Returns(organization);
+                services.AddSingleton(orgRepo);
+
+                // Mock SSO config repository
+                var ssoConfigRepo = Substitute.For<ISsoConfigRepository>();
+                ssoConfigRepo.GetByOrganizationIdAsync(organizationId).Returns(ssoConfig);
+                services.AddSingleton(ssoConfigRepo);
+
+                // Mock user repository - no existing user via SSO
+                var userRepo = Substitute.For<IUserRepository>();
+                userRepo.GetBySsoUserAsync(providerUserId, organizationId).Returns((User?)null);
+                services.AddSingleton(userRepo);
+
+                // Mock user service - returns user for manual linking lookup
+                var userService = Substitute.For<IUserService>();
+                userService.GetUserByIdAsync(userId.ToString()).Returns(claimedUser);
+                services.AddSingleton(userService);
+
+                // Mock UserManager to return false for token verification
+                var userManager = Substitute.For<UserManager<User>>(
+                    Substitute.For<IUserStore<User>>(), null, null, null, null, null, null, null, null);
+                userManager.VerifyUserTokenAsync(
+                    claimedUser,
+                    Arg.Any<string>(),
+                    Arg.Any<string>(),
+                    Arg.Any<string>())
+                    .Returns(false);
+                services.AddSingleton(userManager);
+
+                // Mock authentication service with userIdentifier that has valid format but invalid token
+                var authService = Substitute.For<IAuthenticationService>();
+                authService.AuthenticateAsync(
+                        Arg.Any<HttpContext>(),
+                        AuthenticationSchemes.BitwardenExternalCookieAuthenticationScheme)
+                    .Returns(MockSuccessfulAuthResult.Build(organizationId, providerUserId, testEmail, testName, null, userIdentifier));
+                services.AddSingleton(authService);
+            });
+        }).CreateClient();
+
+        // Act
+        var response = await client.GetAsync("/Account/ExternalCallback");
+
+        // Assert - Should fail because token verification failed
+        var stringResponse = await response.Content.ReadAsStringAsync();
+        Assert.Contains("Supplied userId and token did not match", stringResponse);
+        Assert.Equal(HttpStatusCode.InternalServerError, response.StatusCode);
+    }
+
+    /*
+    * Test to verify /Account/ExternalCallback returns error for revoked org user when PM24579 feature flag is enabled.
+    */
+    [Fact]
+    public async Task ExternalCallback_WithRevokedOrgUser_WithPM24579FeatureFlagEnabled_ReturnsError()
+    {
+        // Arrange
+        var testData = await new SsoTestDataBuilder()
+            .WithSsoConfig()
+            .WithUser()
+            .WithOrganizationUser(orgUser =>
+            {
+                orgUser.Status = OrganizationUserStatusType.Revoked;
+            })
+            .WithFeatureFlags(factoryService =>
+            {
+                factoryService.SubstituteService<IFeatureService>(srv =>
+                {
+                    srv.IsEnabled(FeatureFlagKeys.PM24579_PreventSsoOnExistingNonCompliantUsers).Returns(true);
+                });
+            })
+            .BuildAsync();
+
+        var client = testData.Factory.CreateClient();
+
+        // Act
+        var response = await client.GetAsync("/Account/ExternalCallback");
+
+        // Assert - Should fail because user state is invalid
+        var stringResponse = await response.Content.ReadAsStringAsync();
+        Assert.Contains(
+            $"Your access to organization {testData.Organization?.DisplayName()} has been revoked. Please contact your administrator for assistance.",
+            stringResponse);
+        Assert.Equal(HttpStatusCode.InternalServerError, response.StatusCode);
+    }
+
+    /*
+    * Test to verify /Account/ExternalCallback returns error for revoked org user when PM24579 feature flag is disabled.
+    */
+    [Fact]
+    public async Task ExternalCallback_WithRevokedOrgUserStatus_WithPM24579FeatureFlagDisabled_ReturnsError()
+    {
+        // Arrange
+        var testData = await new SsoTestDataBuilder()
+            .WithSsoConfig()
+            .WithUser()
+            .WithOrganizationUser(orgUser =>
+            {
+                orgUser.Status = OrganizationUserStatusType.Revoked;
+            })
+            .WithFeatureFlags(factoryService =>
+            {
+                factoryService.SubstituteService<IFeatureService>(srv =>
+                {
+                    srv.IsEnabled(FeatureFlagKeys.PM24579_PreventSsoOnExistingNonCompliantUsers).Returns(false);
+                });
+            })
+            .BuildAsync();
+
+        var client = testData.Factory.CreateClient();
+
+        // Act
+        var response = await client.GetAsync("/Account/ExternalCallback");
+
+        // Assert - Should fail because user has invalid status
+        var stringResponse = await response.Content.ReadAsStringAsync();
+        Assert.Contains(
+            $"Your access to organization {testData.Organization?.DisplayName()} has been revoked. Please contact your administrator for assistance.",
+            stringResponse);
+        Assert.Equal(HttpStatusCode.InternalServerError, response.StatusCode);
+    }
+
+    /*
+    * Test to verify /Account/ExternalCallback returns error for invited org user when PM24579 feature flag is disabled.
+    */
+    [Fact]
+    public async Task ExternalCallback_WithInvitedOrgUserStatus_WithPM24579FeatureFlagDisabled_ReturnsError()
+    {
+        // Arrange
+        var testData = await new SsoTestDataBuilder()
+            .WithSsoConfig()
+            .WithUser()
+            .WithOrganizationUser(orgUser =>
+            {
+                orgUser.Status = OrganizationUserStatusType.Invited;
+            })
+            .WithFeatureFlags(factoryService =>
+            {
+                factoryService.SubstituteService<IFeatureService>(srv =>
+                {
+                    srv.IsEnabled(FeatureFlagKeys.PM24579_PreventSsoOnExistingNonCompliantUsers).Returns(false);
+                });
+            })
+            .BuildAsync();
+
+        var client = testData.Factory.CreateClient();
+
+        // Act
+        var response = await client.GetAsync("/Account/ExternalCallback");
+
+        // Assert - Should fail because user has invalid status
+        var stringResponse = await response.Content.ReadAsStringAsync();
+        Assert.Contains(
+        $"To accept your invite to {testData.Organization?.DisplayName()}, you must first log in using your master password. Once your invite has been accepted, you will be able to log in using SSO.",
+            stringResponse);
+        Assert.Equal(HttpStatusCode.InternalServerError, response.StatusCode);
+    }
+
+
+    /*
+    * Test to verify /Account/ExternalCallback returns error when user is found via SSO
+    * but has no organization user record (with feature flag enabled).
+    */
+    [Fact]
+    public async Task ExternalCallback_WithSsoUser_AndNoOrgUser_WithFeatureFlagEnabled_ReturnsError()
+    {
+        // Arrange
+        var testData = await new SsoTestDataBuilder()
+            .WithSsoConfig()
+            .WithUser()
+            .WithSsoUser()
+            .WithFeatureFlags(factoryService =>
+            {
+                factoryService.SubstituteService<IFeatureService>(srv =>
+                {
+                    srv.IsEnabled(FeatureFlagKeys.PM24579_PreventSsoOnExistingNonCompliantUsers).Returns(true);
+                });
+            })
+            .BuildAsync();
+
+        var client = testData.Factory.CreateClient();
+
+        // Act
+        var response = await client.GetAsync("/Account/ExternalCallback");
+
+        // Assert - Should fail because org user cannot be found
+        var stringResponse = await response.Content.ReadAsStringAsync();
+        Assert.Contains("Could not find organization user", stringResponse);
+        Assert.Equal(HttpStatusCode.InternalServerError, response.StatusCode);
+    }
+
+    /*
+    * Test to verify /Account/ExternalCallback returns error when the provider scheme
+    * is not a valid GUID (SSOProviderIsNotAnOrgId).
+    *
+    * NOTE: This test uses the substitute pattern instead of SsoTestDataBuilder because:
+    * - Organization.Id is of type Guid and cannot be set to a non-GUID value
+    * - The auth mock scheme must be a non-GUID string to trigger this error path
+    * - This cannot be tested since ln 438 in AccountController.FindUserFromExternalProviderAsync throws a different exception
+    *   before reaching the organization lookup exception.
+    */
+    [Fact(Skip = "This test cannot be executed because the organization ID must be a GUID. See note in test summary.")]
+    public async Task ExternalCallback_WithInvalidProviderGuid_ReturnsError()
+    {
+        // Arrange
+        var invalidScheme = "not-a-valid-guid";
+        var providerUserId = Guid.NewGuid().ToString();
+        var testEmail = "test@example.com";
+        var testName = "Test User";
+
+        var client = _factory.WithWebHostBuilder(builder =>
+        {
+            builder.ConfigureServices(services =>
+            {
+                // Mock authentication service with invalid (non-GUID) scheme
+                var authService = Substitute.For<IAuthenticationService>();
+                authService.AuthenticateAsync(
+                        Arg.Any<HttpContext>(),
+                        AuthenticationSchemes.BitwardenExternalCookieAuthenticationScheme)
+                    .Returns(MockSuccessfulAuthResult.Build(invalidScheme, providerUserId, testEmail, testName));
+                services.AddSingleton(authService);
+            });
+        }).CreateClient();
+
+        // Act
+        var response = await client.GetAsync("/Account/ExternalCallback");
+
+        // Assert - Should fail because provider is not a valid organization GUID
+        var stringResponse = await response.Content.ReadAsStringAsync();
+        Assert.Contains("Organization not found from identifier.", stringResponse);
+        Assert.Equal(HttpStatusCode.InternalServerError, response.StatusCode);
+    }
+
+    /*
+    * Test to verify /Account/ExternalCallback returns error when the organization ID
+    * in the auth result does not match any organization in the database.
+    * NOTE: This code path is unreachable because the SsoConfig must exist to proceed, but there is a circular dependency:
+    * - SsoConfig cannot exist without a valid Organization but the test is testing that an Organization cannot be found.
+    */
+    [Fact(Skip = "This code path is unreachable because the SsoConfig must exist to proceed. But the SsoConfig cannot exist without a valid Organization.")]
+    public async Task ExternalCallback_WithNonExistentOrganization_ReturnsError()
+    {
+        // Arrange
+        var testData = await new SsoTestDataBuilder()
+            .WithSsoConfig()
+            .WithNonExistentOrganizationInAuth()
+            .BuildAsync();
+
+        var client = testData.Factory.CreateClient();
+
+        // Act
+        var response = await client.GetAsync("/Account/ExternalCallback");
+
+        // Assert - Should fail because organization cannot be found by the ID in auth result
+        var stringResponse = await response.Content.ReadAsStringAsync();
+        Assert.Contains("Could not find organization", stringResponse);
+        Assert.Equal(HttpStatusCode.InternalServerError, response.StatusCode);
+    }
+
+    /*
+    * SUCCESS PATH: Test to verify /Account/ExternalCallback succeeds when an existing
+    * SSO-linked user logs in (user exists in SsoUser table).
+    */
+    [Fact]
+    public async Task ExternalCallback_WithExistingSsoUser_ReturnsSuccess()
+    {
+        // Arrange - User with SSO link already exists
+        var testData = await new SsoTestDataBuilder()
+            .WithSsoConfig()
+            .WithUser()
+            .WithOrganizationUser()
+            .WithSsoUser()
+            .BuildAsync();
+
+        var client = testData.Factory.CreateClient(new WebApplicationFactoryClientOptions
+        {
+            AllowAutoRedirect = false // Prevent auto-redirects to capture initial response
+        });
+
+        // Act
+        var response = await client.GetAsync("/Account/ExternalCallback");
+
+        // Assert - Should succeed and redirect
+        Assert.True(
+            response.StatusCode == HttpStatusCode.Redirect,
+            $"Expected success/redirect but got {response.StatusCode}");
+
+        Assert.NotNull(response.Headers.Location);
+    }
+
+    /*
+    * SUCCESS PATH: Test to verify /Account/ExternalCallback succeeds when JIT provisioning
+    * a new user (user doesn't exist, gets created automatically).
+    */
+    [Fact]
+    public async Task ExternalCallback_WithJitProvisioning_ReturnsSuccess()
+    {
+        // Arrange - No user, no org user - JIT provisioning will create both
+        var testData = await new SsoTestDataBuilder()
+            .WithSsoConfig()
+            .BuildAsync();
+
+        var client = testData.Factory.CreateClient(new WebApplicationFactoryClientOptions
+        {
+            AllowAutoRedirect = false // Prevent auto-redirects to capture initial response
+        });
+
+        // Act
+        var response = await client.GetAsync("/Account/ExternalCallback");
+
+        // Assert - Should succeed and redirect
+        Assert.True(
+            response.StatusCode == HttpStatusCode.Redirect,
+            $"Expected success/redirect but got {response.StatusCode}");
+
+        Assert.NotNull(response.Headers.Location);
+    }
+
+    /*
+    * SUCCESS PATH: Test to verify /Account/ExternalCallback succeeds when an existing user
+    * with a valid (Confirmed) organization user status logs in via SSO for the first time.
+    */
+    [Fact]
+    public async Task ExternalCallback_WithExistingUserAndConfirmedOrgUser_ReturnsSuccess()
+    {
+        // Arrange - Existing user with confirmed org user status, no SSO link yet
+        var testData = await new SsoTestDataBuilder()
+            .WithSsoConfig()
+            .WithUser()
+            .WithOrganizationUser(orgUser =>
+            {
+                orgUser.Status = OrganizationUserStatusType.Confirmed;
+            })
+            .BuildAsync();
+
+        var client = testData.Factory.CreateClient(new WebApplicationFactoryClientOptions
+        {
+            AllowAutoRedirect = false // Prevent auto-redirects to capture initial response
+        });
+
+        // Act
+        var response = await client.GetAsync("/Account/ExternalCallback");
+
+        // Assert - Should succeed and redirect
+        Assert.True(
+            response.StatusCode == HttpStatusCode.Redirect,
+            $"Expected success/redirect but got {response.StatusCode}");
+
+        Assert.NotNull(response.Headers.Location);
+    }
+
+    /*
+    * SUCCESS PATH: Test to verify /Account/ExternalCallback succeeds when an existing user
+    * with Accepted organization user status logs in via SSO.
+    */
+    [Fact]
+    public async Task ExternalCallback_WithExistingUserAndAcceptedOrgUser_ReturnsSuccess()
+    {
+        // Arrange - Existing user with accepted org user status
+        var testData = await new SsoTestDataBuilder()
+            .WithSsoConfig()
+            .WithUser()
+            .WithOrganizationUser(orgUser =>
+            {
+                orgUser.Status = OrganizationUserStatusType.Accepted;
+            })
+            .BuildAsync();
+
+        var client = testData.Factory.CreateClient(new WebApplicationFactoryClientOptions
+        {
+            AllowAutoRedirect = false // Prevent auto-redirects to capture initial response
+        });
+
+        // Act
+        var response = await client.GetAsync("/Account/ExternalCallback");
+
+        // Assert - Should succeed and redirect
+        Assert.True(
+            response.StatusCode == HttpStatusCode.Redirect,
+            $"Expected success/redirect but got {response.StatusCode}");
+
+        Assert.NotNull(response.Headers.Location);
+    }
+
+    /*
+    * SUCCESS PATH: Test to verify /Account/ExternalCallback returns a View with 200 status
+    * when the client is a native application (uses custom URI scheme like "bitwarden://callback").
+    * Native clients get a different response for better UX - a 200 with redirect view instead of 302.
+    * See AccountController lines 371-378.
+    */
+    [Fact]
+    public async Task ExternalCallback_WithNativeClient_ReturnsViewWith200Status()
+    {
+        // Arrange - Existing SSO user with native client context
+        var testData = await new SsoTestDataBuilder()
+            .WithSsoConfig()
+            .WithUser()
+            .WithOrganizationUser()
+            .WithSsoUser()
+            .AsNativeClient()
+            .BuildAsync();
+
+        var client = testData.Factory.CreateClient(new WebApplicationFactoryClientOptions
+        {
+            AllowAutoRedirect = false
+        });
+
+        // Act
+        var response = await client.GetAsync("/Account/ExternalCallback");
+
+        // Assert - Native clients get 200 status with a redirect view instead of 302
+        Assert.Equal(HttpStatusCode.OK, response.StatusCode);
+
+        // The Location header should be empty for native clients (set in controller)
+        // and the response should contain the redirect view
+        var content = await response.Content.ReadAsStringAsync();
+        Assert.NotEmpty(content); // View content should be present
+    }
+}
--- a/bitwarden_license/test/Sso.IntegrationTest/Properties/launchSettings.json
+++ b/bitwarden_license/test/Sso.IntegrationTest/Properties/launchSettings.json
@ -0,0 +1,12 @@
+{
+  "profiles": {
+    "Sso.IntegrationTest": {
+      "commandName": "Project",
+      "launchBrowser": true,
+      "environmentVariables": {
+        "ASPNETCORE_ENVIRONMENT": "Development"
+      },
+      "applicationUrl": "https://localhost:59973;http://localhost:59974"
+    }
+  }
+}
--- a/bitwarden_license/test/Sso.IntegrationTest/Sso.IntegrationTest.csproj
+++ b/bitwarden_license/test/Sso.IntegrationTest/Sso.IntegrationTest.csproj
@ -0,0 +1,41 @@
+<Project Sdk="Microsoft.NET.Sdk.Web">
+
+  <PropertyGroup>
+    <TargetFramework>net8.0</TargetFramework>
+    <ImplicitUsings>enable</ImplicitUsings>
+    <Nullable>enable</Nullable>
+
+    <IsPackable>false</IsPackable>
+    <IsTestProject>true</IsTestProject>
+  </PropertyGroup>
+
+  <ItemGroup>
+    <PackageReference Include="coverlet.collector" Version="$(CoverletCollectorVersion)">
+      <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
+      <PrivateAssets>all</PrivateAssets>
+    </PackageReference>
+    <PackageReference Include="Microsoft.AspNetCore.Mvc.Testing" Version="8.0.10" />
+    <PackageReference Include="Microsoft.NET.Test.Sdk" Version="$(MicrosoftNetTestSdkVersion)" />
+    <PackageReference Include="NSubstitute" Version="$(NSubstituteVersion)" />
+    <PackageReference Include="xunit" Version="$(XUnitVersion)" />
+    <PackageReference Include="xunit.runner.visualstudio" Version="$(XUnitRunnerVisualStudioVersion)">
+      <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
+      <PrivateAssets>all</PrivateAssets>
+    </PackageReference>
+    <PackageReference Include="AutoFixture.Xunit2" Version="$(AutoFixtureXUnit2Version)" />
+  </ItemGroup>
+
+  <ItemGroup>
+    <ProjectReference Include="..\..\src\Sso\Sso.csproj" />
+    <ProjectReference Include="..\..\..\test\Common\Common.csproj" />
+    <ProjectReference Include="..\..\..\test\IntegrationTestCommon\IntegrationTestCommon.csproj" />
+  </ItemGroup>
+  <ItemGroup>
+    <Content Update="Properties\launchSettings.json">
+      <ExcludeFromSingleFile>true</ExcludeFromSingleFile>
+      <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
+      <CopyToPublishDirectory>Never</CopyToPublishDirectory>
+    </Content>
+  </ItemGroup>
+
+</Project>
--- a/bitwarden_license/test/Sso.IntegrationTest/Utilities/SsoApplicationFactory.cs
+++ b/bitwarden_license/test/Sso.IntegrationTest/Utilities/SsoApplicationFactory.cs
@ -0,0 +1,11 @@
+using Bit.IntegrationTestCommon.Factories;
+
+namespace Bit.Sso.IntegrationTest.Utilities;
+
+public class SsoApplicationFactory : WebApplicationFactoryBase<Startup>
+{
+    protected override void ConfigureWebHost(IWebHostBuilder builder)
+    {
+        base.ConfigureWebHost(builder);
+    }
+}
--- a/bitwarden_license/test/Sso.IntegrationTest/Utilities/SsoTestDataBuilder.cs
+++ b/bitwarden_license/test/Sso.IntegrationTest/Utilities/SsoTestDataBuilder.cs
@ -0,0 +1,327 @@
+using Bit.Core.AdminConsole.Entities;
+using Bit.Core.Auth.Entities;
+using Bit.Core.Auth.Models.Data;
+using Bit.Core.Auth.Repositories;
+using Bit.Core.Entities;
+using Bit.Core.Enums;
+using Bit.Core.Repositories;
+using Bit.Core.Settings;
+using Bitwarden.License.Test.Sso.IntegrationTest.Utilities;
+using Duende.IdentityServer.Models;
+using Duende.IdentityServer.Services;
+using Microsoft.AspNetCore.Authentication;
+using NSubstitute;
+using AuthenticationSchemes = Bit.Core.AuthenticationSchemes;
+
+namespace Bit.Sso.IntegrationTest.Utilities;
+
+/// <summary>
+/// Contains the factory and all entities created by <see cref="SsoTestDataBuilder"/> for use in integration tests.
+/// </summary>
+public record SsoTestData(
+    SsoApplicationFactory Factory,
+    Organization? Organization,
+    User? User,
+    OrganizationUser? OrganizationUser,
+    SsoConfig? SsoConfig,
+    SsoUser? SsoUser);
+
+/// <summary>
+/// Builder for creating SSO test data with seeded database entities.
+/// </summary>
+public class SsoTestDataBuilder
+{
+    /// <summary>
+    /// This UserIdentifier is a mock for the UserIdentifier we get from the External Identity Provider.
+    /// </summary>
+    private string? _userIdentifier;
+    private Action<Organization>? _organizationConfig;
+    private Action<User>? _userConfig;
+    private Action<OrganizationUser>? _orgUserConfig;
+    private Action<SsoConfig>? _ssoConfigConfig;
+    private Action<SsoUser>? _ssoUserConfig;
+    private Action<SsoApplicationFactory>? _featureFlagConfig;
+
+    private bool _includeUser = false;
+    private bool _includeSsoUser = false;
+    private bool _includeOrganizationUser = false;
+    private bool _includeSsoConfig = false;
+    private bool _successfulAuth = true;
+    private bool _withNullEmail = false;
+    private bool _isSelfHosted = false;
+    private bool _includeProviderUserId = true;
+    private bool _useNonExistentOrgInAuth = false;
+    private bool _isNativeClient = false;
+
+    public SsoTestDataBuilder WithOrganization(Action<Organization> configure)
+    {
+        _organizationConfig = configure;
+        return this;
+    }
+
+    public SsoTestDataBuilder WithUser(Action<User>? configure = null)
+    {
+        _includeUser = true;
+        _userConfig = configure;
+        return this;
+    }
+
+    public SsoTestDataBuilder WithOrganizationUser(Action<OrganizationUser>? configure = null)
+    {
+        _includeOrganizationUser = true;
+        _orgUserConfig = configure;
+        return this;
+    }
+
+    public SsoTestDataBuilder WithSsoConfig(Action<SsoConfig>? configure = null)
+    {
+        _includeSsoConfig = true;
+        _ssoConfigConfig = configure;
+        return this;
+    }
+
+    public SsoTestDataBuilder WithSsoUser(Action<SsoUser>? configure = null)
+    {
+        _includeSsoUser = true;
+        _ssoUserConfig = configure;
+        return this;
+    }
+
+    public SsoTestDataBuilder WithFeatureFlags(Action<SsoApplicationFactory> configure)
+    {
+        _featureFlagConfig = configure;
+        return this;
+    }
+
+    public SsoTestDataBuilder WithFailedAuthentication()
+    {
+        _successfulAuth = false;
+        return this;
+    }
+
+    public SsoTestDataBuilder WithNullEmail()
+    {
+        _withNullEmail = true;
+        return this;
+    }
+
+    public SsoTestDataBuilder WithUserIdentifier(string userIdentifier)
+    {
+        _userIdentifier = userIdentifier;
+        return this;
+    }
+
+    public SsoTestDataBuilder OmitProviderUserId()
+    {
+        _includeProviderUserId = false;
+        return this;
+    }
+
+    public SsoTestDataBuilder AsSelfHosted()
+    {
+        _isSelfHosted = true;
+        return this;
+    }
+
+    /// <summary>
+    /// Causes the auth result to use a different (non-existent) organization ID than what is seeded
+    /// in the database. This simulates the "organization not found" scenario.
+    /// </summary>
+    public SsoTestDataBuilder WithNonExistentOrganizationInAuth()
+    {
+        _useNonExistentOrgInAuth = true;
+        return this;
+    }
+
+    /// <summary>
+    /// Configures the test to simulate a native client (non-browser) OIDC flow.
+    /// Native clients use custom URI schemes (e.g., "bitwarden://callback") instead of http/https.
+    /// This causes ExternalCallback to return a View with 200 status instead of a redirect.
+    /// </summary>
+    public SsoTestDataBuilder AsNativeClient()
+    {
+        _isNativeClient = true;
+        return this;
+    }
+
+    public async Task<SsoTestData> BuildAsync()
+    {
+        // Create factory
+        var factory = new SsoApplicationFactory();
+
+        // Pre-generate IDs and values needed for auth mock (before accessing Services)
+        var organizationId = Guid.NewGuid();
+        // Use a different org ID in auth if testing "organization not found" scenario
+        var authOrganizationId = _useNonExistentOrgInAuth ? Guid.NewGuid() : organizationId;
+        var providerUserId = _includeProviderUserId ? Guid.NewGuid().ToString() : "";
+        var userEmail = _withNullEmail ? null : $"user_{Guid.NewGuid()}@test.com";
+        var userName = "TestUser";
+
+        // 1. Configure mocked authentication service BEFORE accessing Services
+        factory.SubstituteService<IAuthenticationService>(authService =>
+        {
+            if (_successfulAuth)
+            {
+                authService.AuthenticateAsync(
+                        Arg.Any<HttpContext>(),
+                        AuthenticationSchemes.BitwardenExternalCookieAuthenticationScheme)
+                    .Returns(MockSuccessfulAuthResult.Build(
+                        authOrganizationId,
+                        providerUserId,
+                        userEmail,
+                        userName,
+                        acrValue: null,
+                        _userIdentifier));
+            }
+            else
+            {
+                authService.AuthenticateAsync(
+                        Arg.Any<HttpContext>(),
+                        AuthenticationSchemes.BitwardenExternalCookieAuthenticationScheme)
+                    .Returns(AuthenticateResult.Fail("External authentication error"));
+            }
+        });
+
+        // 1.a Configure GlobalSettings for Self-Hosted and seat limit
+        factory.SubstituteService<IGlobalSettings>(globalSettings =>
+        {
+            globalSettings.SelfHosted.Returns(_isSelfHosted);
+        });
+
+        // 1.b configure setting feature flags
+        _featureFlagConfig?.Invoke(factory);
+
+        // 1.c Configure IIdentityServerInteractionService for native client flow
+        if (_isNativeClient)
+        {
+            factory.SubstituteService<IIdentityServerInteractionService>(interaction =>
+            {
+                // Native clients have redirect URIs that don't start with http/https
+                // e.g., "bitwarden://callback" or "com.bitwarden.app://callback"
+                var authorizationRequest = new AuthorizationRequest
+                {
+                    RedirectUri = "bitwarden://sso-callback"
+                };
+                interaction.GetAuthorizationContextAsync(Arg.Any<string>())
+                    .Returns(authorizationRequest);
+            });
+        }
+
+        if (!_successfulAuth)
+        {
+            return new SsoTestData(factory, null!, null!, null!, null!, null!);
+        }
+
+        // 2. Create Organization with defaults (using pre-generated ID)
+        var organization = new Organization
+        {
+            Id = organizationId,
+            Name = "Test Organization",
+            BillingEmail = "billing@test.com",
+            Plan = "Enterprise",
+            Enabled = true,
+            UseSso = true
+        };
+        _organizationConfig?.Invoke(organization);
+
+        var orgRepo = factory.Services.GetRequiredService<IOrganizationRepository>();
+        organization = await orgRepo.CreateAsync(organization);
+
+        // 3. Create User with defaults (using pre-generated values)
+        User? user = null;
+        if (_includeUser)
+        {
+            user = new User
+            {
+                Email = userEmail ?? $"email_{Guid.NewGuid()}@test.dev",
+                Name = userName,
+                ApiKey = Guid.NewGuid().ToString(),
+                SecurityStamp = Guid.NewGuid().ToString()
+            };
+            _userConfig?.Invoke(user);
+
+            var userRepo = factory.Services.GetRequiredService<IUserRepository>();
+            user = await userRepo.CreateAsync(user);
+        }
+
+        // 4. Create OrganizationUser linking them
+        OrganizationUser? orgUser = null;
+        if (_includeOrganizationUser)
+        {
+            orgUser = new OrganizationUser
+            {
+                OrganizationId = organization.Id,
+                UserId = user!.Id,
+                Status = OrganizationUserStatusType.Confirmed,
+                Type = OrganizationUserType.User
+            };
+            _orgUserConfig?.Invoke(orgUser);
+
+            var orgUserRepo = factory.Services.GetRequiredService<IOrganizationUserRepository>();
+            orgUser = await orgUserRepo.CreateAsync(orgUser);
+        }
+
+        // 4.a Create many OrganizationUser to test seat count logic
+        if (organization.Seats > 1)
+        {
+            var orgUserRepo = factory.Services.GetRequiredService<IOrganizationUserRepository>();
+            var userRepo = factory.Services.GetRequiredService<IUserRepository>();
+            var additionalOrgUsers = new List<OrganizationUser>();
+            for (var i = 1; i <= organization.Seats; i++)
+            {
+                var additionalUser = new User
+                {
+                    Email = $"additional_user_{i}_{Guid.NewGuid()}@test.dev",
+                    Name = $"AdditionalUser{i}",
+                    ApiKey = Guid.NewGuid().ToString(),
+                    SecurityStamp = Guid.NewGuid().ToString()
+                };
+                var createdAdditionalUser = await userRepo.CreateAsync(additionalUser);
+
+                var additionalOrgUser = new OrganizationUser
+                {
+                    OrganizationId = organization.Id,
+                    UserId = createdAdditionalUser.Id,
+                    Status = OrganizationUserStatusType.Confirmed,
+                    Type = OrganizationUserType.User
+                };
+                additionalOrgUsers.Add(additionalOrgUser);
+            }
+            await orgUserRepo.CreateManyAsync(additionalOrgUsers);
+        }
+
+        // 5. Create SsoConfig, if ssoConfigConfig is not null
+        SsoConfig? ssoConfig = null;
+        if (_includeSsoConfig)
+        {
+            ssoConfig = new SsoConfig
+            {
+                OrganizationId = authOrganizationId,
+                Enabled = true
+            };
+            ssoConfig.SetData(new SsoConfigurationData());
+            _ssoConfigConfig?.Invoke(ssoConfig);
+
+            var ssoConfigRepo = factory.Services.GetRequiredService<ISsoConfigRepository>();
+            ssoConfig = await ssoConfigRepo.CreateAsync(ssoConfig);
+        }
+
+        // 6. Optionally create SsoUser (using pre-generated providerUserId as ExternalId)
+        SsoUser? ssoUser = null;
+        if (_includeSsoUser)
+        {
+            ssoUser = new SsoUser
+            {
+                OrganizationId = organization.Id,
+                UserId = user!.Id,
+                ExternalId = providerUserId
+            };
+            _ssoUserConfig?.Invoke(ssoUser);
+
+            var ssoUserRepo = factory.Services.GetRequiredService<ISsoUserRepository>();
+            ssoUser = await ssoUserRepo.CreateAsync(ssoUser);
+        }
+
+        return new SsoTestData(factory, organization, user, orgUser, ssoConfig, ssoUser);
+    }
+}
--- a/bitwarden_license/test/Sso.IntegrationTest/Utilities/SuccessfulAuthResult.cs
+++ b/bitwarden_license/test/Sso.IntegrationTest/Utilities/SuccessfulAuthResult.cs
@ -0,0 +1,88 @@
+using System.Security.Claims;
+using Bit.Core;
+using Duende.IdentityModel;
+using Microsoft.AspNetCore.Authentication;
+
+namespace Bitwarden.License.Test.Sso.IntegrationTest.Utilities;
+
+/// <summary>
+/// Creates a mock for use in tests requiring a valid external authentication result.
+/// </summary>
+internal static class MockSuccessfulAuthResult
+{
+    /// <summary>
+    /// Since this tests the external Authentication flow, only the OrganizationId is strictly required.
+    /// However, some tests may require additional claims to be present, so they can be optionally added.
+    /// </summary>
+    /// <param name="organizationId"></param>
+    /// <param name="providerUserId"></param>
+    /// <param name="email"></param>
+    /// <param name="name"></param>
+    /// <param name="acrValue"></param>
+    /// <param name="userIdentifier"></param>
+    /// <returns></returns>
+    public static AuthenticateResult Build(
+            Guid organizationId,
+            string? providerUserId,
+            string? email,
+            string? name = null,
+            string? acrValue = null,
+            string? userIdentifier = null)
+    {
+        return Build(organizationId.ToString(), providerUserId, email, name, acrValue, userIdentifier);
+    }
+
+    /// <summary>
+    /// Overload that accepts a custom scheme string. Useful for testing invalid provider scenarios
+    /// where the scheme is not a valid GUID.
+    /// </summary>
+    public static AuthenticateResult Build(
+            string scheme,
+            string? providerUserId,
+            string? email,
+            string? name = null,
+            string? acrValue = null,
+            string? userIdentifier = null)
+    {
+        var claims = new List<Claim>();
+
+        if (!string.IsNullOrEmpty(email))
+        {
+            claims.Add(new Claim(JwtClaimTypes.Email, email));
+        }
+
+        if (!string.IsNullOrEmpty(providerUserId))
+        {
+            claims.Add(new Claim(JwtClaimTypes.Subject, providerUserId));
+        }
+
+        if (!string.IsNullOrEmpty(name))
+        {
+            claims.Add(new Claim(JwtClaimTypes.Name, name));
+        }
+
+        if (!string.IsNullOrEmpty(acrValue))
+        {
+            claims.Add(new Claim(JwtClaimTypes.AuthenticationContextClassReference, acrValue));
+        }
+
+        var principal = new ClaimsPrincipal(new ClaimsIdentity(claims, "External"));
+        var properties = new AuthenticationProperties
+        {
+            Items =
+            {
+                ["scheme"] = scheme,
+                ["return_url"] = "~/",
+                ["state"] = "test-state",
+                ["user_identifier"] = userIdentifier ?? string.Empty
+            }
+        };
+
+        var ticket = new AuthenticationTicket(
+            principal,
+            properties,
+            AuthenticationSchemes.BitwardenExternalCookieAuthenticationScheme);
+
+        return AuthenticateResult.Success(ticket);
+    }
+}
--- a/dev/docker-compose.yml
+++ b/dev/docker-compose.yml
@ -53,10 +53,10 @@ services:
      - ./.data/postgres/log:/var/log/postgresql
    profiles:
      - postgres
+      - ef

  mysql:
    image: mysql:8.0
-    container_name: bw-mysql
    ports:
      - "3306:3306"
    command:
@ -69,6 +69,7 @@ services:
      - mysql_dev_data:/var/lib/mysql
    profiles:
      - mysql
+      - ef

  mariadb:
    image: mariadb:10
@ -76,17 +77,16 @@ services:
      - 4306:3306
    environment:
      MARIADB_USER: maria
-      MARIADB_PASSWORD: ${MARIADB_ROOT_PASSWORD}
      MARIADB_DATABASE: vault_dev
      MARIADB_RANDOM_ROOT_PASSWORD: "true"
    volumes:
      - mariadb_dev_data:/var/lib/mysql
    profiles:
      - mariadb
+      - ef

  idp:
    image: kenchan0130/simplesamlphp:1.19.8
-    container_name: idp
    ports:
      - "8090:8080"
    environment:
@ -99,8 +99,7 @@ services:
      - idp

  rabbitmq:
-    image: rabbitmq:4.1.0-management
-    container_name: rabbitmq
+    image: rabbitmq:4.2.0-management
    ports:
      - "5672:5672"
      - "15672:15672"
@ -114,7 +113,6 @@ services:

  reverse-proxy:
    image: nginx:alpine
-    container_name: reverse-proxy
    volumes:
      - "./reverse-proxy.conf:/etc/nginx/conf.d/default.conf"
    ports:
@ -124,7 +122,6 @@ services:
      - proxy

  service-bus:
-    container_name: service-bus
    image: mcr.microsoft.com/azure-messaging/servicebus-emulator:latest
    pull_policy: always
    volumes:
@ -140,7 +137,6 @@ services:

  redis:
    image: redis:alpine
-    container_name: bw-redis
    ports:
      - "6379:6379"
    volumes:
@ -153,5 +149,6 @@ volumes:
  mssql_dev_data:
  postgres_dev_data:
  mysql_dev_data:
+  mariadb_dev_data:
  rabbitmq_data:
  redis_data:
--- a/dev/generate_openapi_files.ps1
+++ b/dev/generate_openapi_files.ps1
@ -18,11 +18,11 @@ if ($LASTEXITCODE -ne 0) {
 # Api internal & public
 Set-Location "../../src/Api"
 dotnet build
-dotnet swagger tofile --output "../../api.json" --host "https://api.bitwarden.com" "./bin/Debug/net8.0/Api.dll" "internal"
+dotnet swagger tofile --output "../../api.json" "./bin/Debug/net8.0/Api.dll" "internal"
 if ($LASTEXITCODE -ne 0) {
    exit $LASTEXITCODE
 }
-dotnet swagger tofile --output "../../api.public.json" --host "https://api.bitwarden.com" "./bin/Debug/net8.0/Api.dll" "public"
+dotnet swagger tofile --output "../../api.public.json" "./bin/Debug/net8.0/Api.dll" "public"
 if ($LASTEXITCODE -ne 0) {
    exit $LASTEXITCODE
 }
--- a/dev/migrate.ps1
+++ b/dev/migrate.ps1
@ -70,7 +70,7 @@ Foreach ($item in @(
    @($mysql, "MySQL", "MySqlMigrations", "mySql", 2),
    # MariaDB shares the MySQL connection string in the server config so they are mutually exclusive in that context.
    # However they can still be run independently for integration tests.
-    @($mariadb, "MariaDB", "MySqlMigrations", "mySql", 3) 
+    @($mariadb, "MariaDB", "MySqlMigrations", "mySql", 4) 
 )) {
  if (!$item[0] -and !$all) {
    continue
--- a/dev/secrets.json.example
+++ b/dev/secrets.json.example
@ -33,6 +33,12 @@
      "id": "<your Installation Id>",
      "key": "<your Installation Key>"
    },
-    "licenseDirectory": "<full path to license directory>"
+    "events": {
+      "connectionString": "",
+      "queueName": "event"
+    },
+    "licenseDirectory": "<full path to license directory>",
+    "enableNewDeviceVerification": true,
+    "enableEmailVerification": true
  }
 }
--- a/dev/servicebusemulator_config.json
+++ b/dev/servicebusemulator_config.json
@ -3,22 +3,6 @@
    "Namespaces": [
      {
        "Name": "sbemulatorns",
-        "Queues": [
-          {
-            "Name": "queue.1",
-            "Properties": {
-              "DeadLetteringOnMessageExpiration": false,
-              "DefaultMessageTimeToLive": "PT1H",
-              "DuplicateDetectionHistoryTimeWindow": "PT20S",
-              "ForwardDeadLetteredMessagesTo": "",
-              "ForwardTo": "",
-              "LockDuration": "PT1M",
-              "MaxDeliveryCount": 3,
-              "RequiresDuplicateDetection": false,
-              "RequiresSession": false
-            }
-          }
-        ],
        "Topics": [
          {
            "Name": "event-logging",
@ -34,6 +18,12 @@
              },
              {
                "Name": "events-hec-subscription"
+              },
+              {
+                "Name": "events-datadog-subscription"
+              },
+              {
+                "Name": "events-teams-subscription"
              }
            ]
          },
@ -81,6 +71,34 @@
                    }
                  }
                ]
+              },
+              {
+                "Name": "integration-datadog-subscription",
+                "Rules": [
+                  {
+                    "Name": "datadog-integration-filter",
+                    "Properties": {
+                      "FilterType": "Correlation",
+                      "CorrelationFilter": {
+                        "Label": "datadog"
+                      }
+                    }
+                  }
+                ]
+              },
+              {
+                "Name": "integration-teams-subscription",
+                "Rules": [
+                  {
+                    "Name": "teams-integration-filter",
+                    "Properties": {
+                      "FilterType": "Correlation",
+                      "CorrelationFilter": {
+                        "Label": "teams"
+                      }
+                    }
+                  }
+                ]
              }
            ]
          }
--- a/dev/verify_migrations.ps1
+++ b/dev/verify_migrations.ps1
@ -0,0 +1,132 @@
+#!/usr/bin/env pwsh
+
+<#
+.SYNOPSIS
+    Validates that new database migration files follow naming conventions and chronological order.
+
+.DESCRIPTION
+    This script validates migration files in util/Migrator/DbScripts/ to ensure:
+    1. New migrations follow the naming format: YYYY-MM-DD_NN_Description.sql
+    2. New migrations are chronologically ordered (filename sorts after existing migrations)
+    3. Dates use leading zeros (e.g., 2025-01-05, not 2025-1-5)
+    4. A 2-digit sequence number is included (e.g., _00, _01)
+
+.PARAMETER BaseRef
+    The base git reference to compare against (e.g., 'main', 'HEAD~1')
+
+.PARAMETER CurrentRef
+    The current git reference (defaults to 'HEAD')
+
+.EXAMPLE
+    # For pull requests - compare against main branch
+    .\verify_migrations.ps1 -BaseRef main
+
+.EXAMPLE
+    # For pushes - compare against previous commit
+    .\verify_migrations.ps1 -BaseRef HEAD~1
+#>
+
+param(
+    [Parameter(Mandatory = $true)]
+    [string]$BaseRef,
+
+    [Parameter(Mandatory = $false)]
+    [string]$CurrentRef = "HEAD"
+)
+
+# Use invariant culture for consistent string comparison
+[System.Threading.Thread]::CurrentThread.CurrentCulture = [System.Globalization.CultureInfo]::InvariantCulture
+
+$migrationPath = "util/Migrator/DbScripts"
+
+# Get list of migrations from base reference
+try {
+    $baseMigrations = git ls-tree -r --name-only $BaseRef -- "$migrationPath/" 2>$null | Where-Object { $_ -like "*.sql" } | Sort-Object
+    if ($LASTEXITCODE -ne 0) {
+        Write-Host "Warning: Could not retrieve migrations from base reference '$BaseRef'"
+        $baseMigrations = @()
+    }
+}
+catch {
+    Write-Host "Warning: Could not retrieve migrations from base reference '$BaseRef'"
+    $baseMigrations = @()
+}
+
+# Get list of migrations from current reference
+$currentMigrations = git ls-tree -r --name-only $CurrentRef -- "$migrationPath/" | Where-Object { $_ -like "*.sql" } | Sort-Object
+
+# Find added migrations
+$addedMigrations = $currentMigrations | Where-Object { $_ -notin $baseMigrations }
+
+if ($addedMigrations.Count -eq 0) {
+    Write-Host "No new migration files added."
+    exit 0
+}
+
+Write-Host "New migration files detected:"
+$addedMigrations | ForEach-Object { Write-Host "  $_" }
+Write-Host ""
+
+# Get the last migration from base reference
+if ($baseMigrations.Count -eq 0) {
+    Write-Host "No previous migrations found (initial commit?). Skipping validation."
+    exit 0
+}
+
+$lastBaseMigration = Split-Path -Leaf ($baseMigrations | Select-Object -Last 1)
+Write-Host "Last migration in base reference: $lastBaseMigration"
+Write-Host ""
+
+# Required format regex: YYYY-MM-DD_NN_Description.sql
+$formatRegex = '^[0-9]{4}-[0-9]{2}-[0-9]{2}_[0-9]{2}_.+\.sql$'
+
+$validationFailed = $false
+
+foreach ($migration in $addedMigrations) {
+    $migrationName = Split-Path -Leaf $migration
+
+    # Validate NEW migration filename format
+    if ($migrationName -notmatch $formatRegex) {
+        Write-Host "ERROR: Migration '$migrationName' does not match required format"
+        Write-Host "Required format: YYYY-MM-DD_NN_Description.sql"
+        Write-Host "  - YYYY: 4-digit year"
+        Write-Host "  - MM: 2-digit month with leading zero (01-12)"
+        Write-Host "  - DD: 2-digit day with leading zero (01-31)"
+        Write-Host "  - NN: 2-digit sequence number (00, 01, 02, etc.)"
+        Write-Host "Example: 2025-01-15_00_MyMigration.sql"
+        $validationFailed = $true
+        continue
+    }
+
+    # Compare migration name with last base migration (using ordinal string comparison)
+    if ([string]::CompareOrdinal($migrationName, $lastBaseMigration) -lt 0) {
+        Write-Host "ERROR: New migration '$migrationName' is not chronologically after '$lastBaseMigration'"
+        $validationFailed = $true
+    }
+    else {
+        Write-Host "OK: '$migrationName' is chronologically after '$lastBaseMigration'"
+    }
+}
+
+Write-Host ""
+
+if ($validationFailed) {
+    Write-Host "FAILED: One or more migrations are incorrectly named or not in chronological order"
+    Write-Host ""
+    Write-Host "All new migration files must:"
+    Write-Host "  1. Follow the naming format: YYYY-MM-DD_NN_Description.sql"
+    Write-Host "  2. Use leading zeros in dates (e.g., 2025-01-05, not 2025-1-5)"
+    Write-Host "  3. Include a 2-digit sequence number (e.g., _00, _01)"
+    Write-Host "  4. Have a filename that sorts after the last migration in base"
+    Write-Host ""
+    Write-Host "To fix this issue:"
+    Write-Host "  1. Locate your migration file(s) in util/Migrator/DbScripts/"
+    Write-Host "  2. Rename to follow format: YYYY-MM-DD_NN_Description.sql"
+    Write-Host "  3. Ensure the date is after $lastBaseMigration"
+    Write-Host ""
+    Write-Host "Example: 2025-01-15_00_AddNewFeature.sql"
+    exit 1
+}
+
+Write-Host "SUCCESS: All new migrations are correctly named and in chronological order"
+exit 0
--- a/global.json
+++ b/global.json
@ -5,6 +5,7 @@
  },
  "msbuild-sdks": {
    "Microsoft.Build.Traversal": "4.1.0",
-    "Microsoft.Build.Sql": "1.0.0"
+    "Microsoft.Build.Sql": "1.0.0",
+    "Bitwarden.Server.Sdk": "1.2.0"
  }
 }
--- a/perf/MicroBenchmarks/MicroBenchmarks.csproj
+++ b/perf/MicroBenchmarks/MicroBenchmarks.csproj
@ -7,7 +7,7 @@
  </PropertyGroup>

  <ItemGroup>
-    <PackageReference Include="BenchmarkDotNet" Version="0.14.0" />
+    <PackageReference Include="BenchmarkDotNet" Version="0.15.3" />
  </ItemGroup>

  <ItemGroup>
--- a/perf/load/config.js
+++ b/perf/load/config.js
@ -9,12 +9,6 @@ const AUTH_USERNAME = __ENV.AUTH_USER_EMAIL;
 const AUTH_PASSWORD = __ENV.AUTH_USER_PASSWORD_HASH;

 export const options = {
-  ext: {
-    loadimpact: {
-      projectID: 3639465,
-      name: "Config",
-    },
-  },
  scenarios: {
    constant_load: {
      executor: "constant-arrival-rate",
--- a/perf/load/groups.js
+++ b/perf/load/groups.js
@ -10,12 +10,6 @@ const AUTH_CLIENT_ID = __ENV.AUTH_CLIENT_ID;
 const AUTH_CLIENT_SECRET = __ENV.AUTH_CLIENT_SECRET;

 export const options = {
-  ext: {
-    loadimpact: {
-      projectID: 3639465,
-      name: "Groups",
-    },
-  },
  scenarios: {
    constant_load: {
      executor: "constant-arrival-rate",
--- a/perf/load/login.js
+++ b/perf/load/login.js
@ -6,12 +6,6 @@ const AUTH_USERNAME = __ENV.AUTH_USER_EMAIL;
 const AUTH_PASSWORD = __ENV.AUTH_USER_PASSWORD_HASH;

 export const options = {
-  ext: {
-    loadimpact: {
-      projectID: 3639465,
-      name: "Login",
-    },
-  },
  scenarios: {
    constant_load: {
      executor: "constant-arrival-rate",
--- a/perf/load/sync.js
+++ b/perf/load/sync.js
@ -9,12 +9,6 @@ const AUTH_USERNAME = __ENV.AUTH_USER_EMAIL;
 const AUTH_PASSWORD = __ENV.AUTH_USER_PASSWORD_HASH;

 export const options = {
-  ext: {
-    loadimpact: {
-      projectID: 3639465,
-      name: "Sync",
-    },
-  },
  scenarios: {
    constant_load: {
      executor: "constant-arrival-rate",
--- a/src/Admin/AdminConsole/Controllers/OrganizationsController.cs
+++ b/src/Admin/AdminConsole/Controllers/OrganizationsController.cs
@ -14,8 +14,10 @@ using Bit.Core.AdminConsole.Providers.Interfaces;
 using Bit.Core.AdminConsole.Repositories;
 using Bit.Core.Billing.Enums;
 using Bit.Core.Billing.Extensions;
+using Bit.Core.Billing.Organizations.Services;
 using Bit.Core.Billing.Pricing;
 using Bit.Core.Billing.Providers.Services;
+using Bit.Core.Billing.Services;
 using Bit.Core.Enums;
 using Bit.Core.Models.OrganizationConnectionConfigs;
 using Bit.Core.OrganizationFeatures.OrganizationSponsorships.FamiliesForEnterprise.Interfaces;
@ -41,7 +43,7 @@ public class OrganizationsController : Controller
    private readonly ICollectionRepository _collectionRepository;
    private readonly IGroupRepository _groupRepository;
    private readonly IPolicyRepository _policyRepository;
-    private readonly IPaymentService _paymentService;
+    private readonly IStripePaymentService _paymentService;
    private readonly IApplicationCacheService _applicationCacheService;
    private readonly GlobalSettings _globalSettings;
    private readonly IProviderRepository _providerRepository;
@ -56,6 +58,7 @@ public class OrganizationsController : Controller
    private readonly IOrganizationInitiateDeleteCommand _organizationInitiateDeleteCommand;
    private readonly IPricingClient _pricingClient;
    private readonly IResendOrganizationInviteCommand _resendOrganizationInviteCommand;
+    private readonly IOrganizationBillingService _organizationBillingService;

    public OrganizationsController(
        IOrganizationRepository organizationRepository,
@ -66,7 +69,7 @@ public class OrganizationsController : Controller
        ICollectionRepository collectionRepository,
        IGroupRepository groupRepository,
        IPolicyRepository policyRepository,
-        IPaymentService paymentService,
+        IStripePaymentService paymentService,
        IApplicationCacheService applicationCacheService,
        GlobalSettings globalSettings,
        IProviderRepository providerRepository,
@ -80,7 +83,8 @@ public class OrganizationsController : Controller
        IProviderBillingService providerBillingService,
        IOrganizationInitiateDeleteCommand organizationInitiateDeleteCommand,
        IPricingClient pricingClient,
-        IResendOrganizationInviteCommand resendOrganizationInviteCommand)
+        IResendOrganizationInviteCommand resendOrganizationInviteCommand,
+        IOrganizationBillingService organizationBillingService)
    {
        _organizationRepository = organizationRepository;
        _organizationUserRepository = organizationUserRepository;
@ -105,6 +109,7 @@ public class OrganizationsController : Controller
        _organizationInitiateDeleteCommand = organizationInitiateDeleteCommand;
        _pricingClient = pricingClient;
        _resendOrganizationInviteCommand = resendOrganizationInviteCommand;
+        _organizationBillingService = organizationBillingService;
    }

    [RequirePermission(Permission.Org_List_View)]
@ -241,6 +246,8 @@ public class OrganizationsController : Controller
        var existingOrganizationData = new Organization
        {
            Id = organization.Id,
+            Name = organization.Name,
+            BillingEmail = organization.BillingEmail,
            Status = organization.Status,
            PlanType = organization.PlanType,
            Seats = organization.Seats
@ -286,6 +293,22 @@ public class OrganizationsController : Controller

        await _applicationCacheService.UpsertOrganizationAbilityAsync(organization);

+        // Sync name/email changes to Stripe
+        if (existingOrganizationData.Name != organization.Name || existingOrganizationData.BillingEmail != organization.BillingEmail)
+        {
+            try
+            {
+                await _organizationBillingService.UpdateOrganizationNameAndEmail(organization);
+            }
+            catch (Exception ex)
+            {
+                _logger.LogError(ex,
+                    "Failed to update Stripe customer for organization {OrganizationId}. Database was updated successfully.",
+                    organization.Id);
+                TempData["Warning"] = "Organization updated successfully, but Stripe customer name/email synchronization failed.";
+            }
+        }
+
        return RedirectToAction("Edit", new { id });
    }

@ -472,6 +495,9 @@ public class OrganizationsController : Controller
            organization.UseRiskInsights = model.UseRiskInsights;
            organization.UseOrganizationDomains = model.UseOrganizationDomains;
            organization.UseAdminSponsoredFamilies = model.UseAdminSponsoredFamilies;
+            organization.UseAutomaticUserConfirmation = model.UseAutomaticUserConfirmation;
+            organization.UseDisableSmAdsForUsers = model.UseDisableSmAdsForUsers;
+            organization.UsePhishingBlocker = model.UsePhishingBlocker;

            //secrets
            organization.SmSeats = model.SmSeats;
--- a/src/Admin/AdminConsole/Controllers/ProvidersController.cs
+++ b/src/Admin/AdminConsole/Controllers/ProvidersController.cs
@ -56,6 +56,7 @@ public class ProvidersController : Controller
    private readonly IStripeAdapter _stripeAdapter;
    private readonly IAccessControlService _accessControlService;
    private readonly ISubscriberService _subscriberService;
+    private readonly ILogger<ProvidersController> _logger;

    public ProvidersController(IOrganizationRepository organizationRepository,
        IResellerClientOrganizationSignUpCommand resellerClientOrganizationSignUpCommand,
@ -72,7 +73,8 @@ public class ProvidersController : Controller
        IPricingClient pricingClient,
        IStripeAdapter stripeAdapter,
        IAccessControlService accessControlService,
-        ISubscriberService subscriberService)
+        ISubscriberService subscriberService,
+        ILogger<ProvidersController> logger)
    {
        _organizationRepository = organizationRepository;
        _resellerClientOrganizationSignUpCommand = resellerClientOrganizationSignUpCommand;
@ -92,6 +94,7 @@ public class ProvidersController : Controller
        _braintreeMerchantUrl = webHostEnvironment.GetBraintreeMerchantUrl();
        _braintreeMerchantId = globalSettings.Braintree.MerchantId;
        _subscriberService = subscriberService;
+        _logger = logger;
    }

    [RequirePermission(Permission.Provider_List_View)]
@ -296,6 +299,9 @@ public class ProvidersController : Controller

        var originalProviderStatus = provider.Enabled;

+        // Capture original billing email before modifications for Stripe sync
+        var originalBillingEmail = provider.BillingEmail;
+
        model.ToProvider(provider);

        // validate the stripe ids to prevent saving a bad one
@ -321,6 +327,22 @@ public class ProvidersController : Controller
        await _providerService.UpdateAsync(provider);
        await _applicationCacheService.UpsertProviderAbilityAsync(provider);

+        // Sync billing email changes to Stripe
+        if (!string.IsNullOrEmpty(provider.GatewayCustomerId) && originalBillingEmail != provider.BillingEmail)
+        {
+            try
+            {
+                await _providerBillingService.UpdateProviderNameAndEmail(provider);
+            }
+            catch (Exception ex)
+            {
+                _logger.LogError(ex,
+                    "Failed to update Stripe customer for provider {ProviderId}. Database was updated successfully.",
+                    provider.Id);
+                TempData["Warning"] = "Provider updated successfully, but Stripe customer email synchronization failed.";
+            }
+        }
+
        if (!provider.IsBillable())
        {
            return RedirectToAction("Edit", new { id });
@ -339,11 +361,11 @@ public class ProvidersController : Controller
                    ]);
                await _providerBillingService.UpdateSeatMinimums(updateMspSeatMinimumsCommand);

-                var customer = await _stripeAdapter.CustomerGetAsync(provider.GatewayCustomerId);
+                var customer = await _stripeAdapter.GetCustomerAsync(provider.GatewayCustomerId);
                if (model.PayByInvoice != customer.ApprovedToPayByInvoice())
                {
                    var approvedToPayByInvoice = model.PayByInvoice ? "1" : "0";
-                    await _stripeAdapter.CustomerUpdateAsync(customer.Id, new CustomerUpdateOptions
+                    await _stripeAdapter.UpdateCustomerAsync(customer.Id, new CustomerUpdateOptions
                    {
                        Metadata = new Dictionary<string, string>
                        {
--- a/src/Admin/AdminConsole/Models/OrganizationEditModel.cs
+++ b/src/Admin/AdminConsole/Models/OrganizationEditModel.cs
@ -106,6 +106,10 @@ public class OrganizationEditModel : OrganizationViewModel
        SmServiceAccounts = org.SmServiceAccounts;
        MaxAutoscaleSmServiceAccounts = org.MaxAutoscaleSmServiceAccounts;
        UseOrganizationDomains = org.UseOrganizationDomains;
+        UseAutomaticUserConfirmation = org.UseAutomaticUserConfirmation;
+        UseDisableSmAdsForUsers = org.UseDisableSmAdsForUsers;
+        UsePhishingBlocker = org.UsePhishingBlocker;
+
        _plans = plans;
    }

@ -158,6 +162,8 @@ public class OrganizationEditModel : OrganizationViewModel
    public new bool UseSecretsManager { get; set; }
    [Display(Name = "Risk Insights")]
    public new bool UseRiskInsights { get; set; }
+    [Display(Name = "Phishing Blocker")]
+    public new bool UsePhishingBlocker { get; set; }
    [Display(Name = "Admin Sponsored Families")]
    public bool UseAdminSponsoredFamilies { get; set; }
    [Display(Name = "Self Host")]
@ -191,7 +197,11 @@ public class OrganizationEditModel : OrganizationViewModel
    public int? MaxAutoscaleSmServiceAccounts { get; set; }
    [Display(Name = "Use Organization Domains")]
    public bool UseOrganizationDomains { get; set; }
+    [Display(Name = "Disable SM Ads For Users")]
+    public new bool UseDisableSmAdsForUsers { get; set; }

+    [Display(Name = "Automatic User Confirmation")]
+    public bool UseAutomaticUserConfirmation { get; set; }
    /**
     * Creates a Plan[] object for use in Javascript
     * This is mapped manually below to provide some type safety in case the plan objects change
@ -231,6 +241,7 @@ public class OrganizationEditModel : OrganizationViewModel
                    LegacyYear = p.LegacyYear,
                    Disabled = p.Disabled,
                    SupportsSecretsManager = p.SupportsSecretsManager,
+                    AutomaticUserConfirmation = p.AutomaticUserConfirmation,
                    PasswordManager =
                        new
                        {
@ -322,6 +333,8 @@ public class OrganizationEditModel : OrganizationViewModel
        existingOrganization.SmServiceAccounts = SmServiceAccounts;
        existingOrganization.MaxAutoscaleSmServiceAccounts = MaxAutoscaleSmServiceAccounts;
        existingOrganization.UseOrganizationDomains = UseOrganizationDomains;
+        existingOrganization.UseDisableSmAdsForUsers = UseDisableSmAdsForUsers;
+        existingOrganization.UsePhishingBlocker = UsePhishingBlocker;
        return existingOrganization;
    }
 }
--- a/src/Admin/AdminConsole/Models/OrganizationViewModel.cs
+++ b/src/Admin/AdminConsole/Models/OrganizationViewModel.cs
@ -75,6 +75,8 @@ public class OrganizationViewModel
    public int OccupiedSmSeatsCount { get; set; }
    public bool UseSecretsManager => Organization.UseSecretsManager;
    public bool UseRiskInsights => Organization.UseRiskInsights;
+    public bool UsePhishingBlocker => Organization.UsePhishingBlocker;
+    public bool UseDisableSmAdsForUsers => Organization.UseDisableSmAdsForUsers;
    public IEnumerable<OrganizationUserUserDetails> OwnersDetails { get; set; }
    public IEnumerable<OrganizationUserUserDetails> AdminsDetails { get; set; }
 }
--- a/src/Admin/AdminConsole/Views/Shared/_OrganizationForm.cshtml
+++ b/src/Admin/AdminConsole/Views/Shared/_OrganizationForm.cshtml
@ -152,11 +152,19 @@
                    <input type="checkbox" class="form-check-input" asp-for="UseCustomPermissions" disabled='@(canEditPlan ? null : "disabled")'>
                    <label class="form-check-label" asp-for="UseCustomPermissions"></label>
                </div>
-                @if(FeatureService.IsEnabled(FeatureFlagKeys.PM17772_AdminInitiatedSponsorships))
+                <div class="form-check">
+                    <input type="checkbox" class="form-check-input" asp-for="UseAdminSponsoredFamilies" disabled='@(canEditPlan ? null : "disabled")'>
+                    <label class="form-check-label" asp-for="UseAdminSponsoredFamilies"></label>
+                </div>
+                <div class="form-check">
+                    <input type="checkbox" class="form-check-input" asp-for="UsePhishingBlocker" disabled='@(canEditPlan ? null : "disabled")'>
+                    <label class="form-check-label" asp-for="UsePhishingBlocker"></label>
+                </div>
+                @if(FeatureService.IsEnabled(FeatureFlagKeys.AutomaticConfirmUsers))
                {
                    <div class="form-check">
-                        <input type="checkbox" class="form-check-input" asp-for="UseAdminSponsoredFamilies" disabled='@(canEditPlan ? null : "disabled")'>
-                        <label class="form-check-label" asp-for="UseAdminSponsoredFamilies"></label>
+                        <input type="checkbox" class="form-check-input" asp-for="UseAutomaticUserConfirmation" disabled='@(canEditPlan ? null : "disabled")'>
+                        <label class="form-check-label" asp-for="UseAutomaticUserConfirmation"></label>
                    </div>
                }
            </div>
@ -177,6 +185,13 @@
                    <input type="checkbox" class="form-check-input" asp-for="UseSecretsManager" disabled='@(canEditPlan ? null : "disabled")'>
                    <label class="form-check-label" asp-for="UseSecretsManager"></label>
                </div>
+                @if (FeatureService.IsEnabled(FeatureFlagKeys.SM1719_RemoveSecretsManagerAds))
+                {
+                    <div class="form-check">
+                        <input type="checkbox" class="form-check-input" asp-for="UseDisableSmAdsForUsers" disabled='@(canEditPlan ? null : "disabled")'>
+                        <label class="form-check-label" asp-for="UseDisableSmAdsForUsers"></label>
+                    </div>
+                }
            </div>
            <div class="col-2">
                <h3>Access Intelligence</h3>
--- a/src/Admin/Billing/Controllers/MigrateProvidersController.cs
+++ b/src/Admin/Billing/Controllers/MigrateProvidersController.cs
@ -1,83 +0,0 @@
-using Bit.Admin.Billing.Models;
-using Bit.Admin.Enums;
-using Bit.Admin.Utilities;
-using Bit.Core.Billing.Providers.Migration.Models;
-using Bit.Core.Billing.Providers.Migration.Services;
-using Bit.Core.Utilities;
-using Microsoft.AspNetCore.Authorization;
-using Microsoft.AspNetCore.Mvc;
-
-namespace Bit.Admin.Billing.Controllers;
-
-[Authorize]
-[Route("migrate-providers")]
-[SelfHosted(NotSelfHostedOnly = true)]
-public class MigrateProvidersController(
-    IProviderMigrator providerMigrator) : Controller
-{
-    [HttpGet]
-    [RequirePermission(Permission.Tools_MigrateProviders)]
-    public IActionResult Index()
-    {
-        return View(new MigrateProvidersRequestModel());
-    }
-
-    [HttpPost]
-    [RequirePermission(Permission.Tools_MigrateProviders)]
-    [ValidateAntiForgeryToken]
-    public async Task<IActionResult> PostAsync(MigrateProvidersRequestModel request)
-    {
-        var providerIds = GetProviderIdsFromInput(request.ProviderIds);
-
-        if (providerIds.Count == 0)
-        {
-            return RedirectToAction("Index");
-        }
-
-        foreach (var providerId in providerIds)
-        {
-            await providerMigrator.Migrate(providerId);
-        }
-
-        return RedirectToAction("Results", new { ProviderIds = string.Join("\r\n", providerIds) });
-    }
-
-    [HttpGet("results")]
-    [RequirePermission(Permission.Tools_MigrateProviders)]
-    public async Task<IActionResult> ResultsAsync(MigrateProvidersRequestModel request)
-    {
-        var providerIds = GetProviderIdsFromInput(request.ProviderIds);
-
-        if (providerIds.Count == 0)
-        {
-            return View(Array.Empty<ProviderMigrationResult>());
-        }
-
-        var results = await Task.WhenAll(providerIds.Select(providerMigrator.GetResult));
-
-        return View(results);
-    }
-
-    [HttpGet("results/{providerId:guid}")]
-    [RequirePermission(Permission.Tools_MigrateProviders)]
-    public async Task<IActionResult> DetailsAsync([FromRoute] Guid providerId)
-    {
-        var result = await providerMigrator.GetResult(providerId);
-
-        if (result == null)
-        {
-            return RedirectToAction("Index");
-        }
-
-        return View(result);
-    }
-
-    private static List<Guid> GetProviderIdsFromInput(string text) => !string.IsNullOrEmpty(text)
-        ? text.Split(
-                ["\r\n", "\r", "\n"],
-                StringSplitOptions.TrimEntries
-            )
-            .Select(id => new Guid(id))
-            .ToList()
-        : [];
-}
--- a/src/Admin/Billing/Models/MigrateProvidersRequestModel.cs
+++ b/src/Admin/Billing/Models/MigrateProvidersRequestModel.cs
@ -1,13 +0,0 @@
-// FIXME: Update this file to be null safe and then delete the line below
-#nullable disable
-
-using System.ComponentModel.DataAnnotations;
-
-namespace Bit.Admin.Billing.Models;
-
-public class MigrateProvidersRequestModel
-{
-    [Required]
-    [Display(Name = "Provider IDs")]
-    public string ProviderIds { get; set; }
-}
--- a/src/Admin/Billing/Views/MigrateProviders/Details.cshtml
+++ b/src/Admin/Billing/Views/MigrateProviders/Details.cshtml
@ -1,39 +0,0 @@
-@using System.Text.Json
-@model Bit.Core.Billing.Providers.Migration.Models.ProviderMigrationResult
-@{
-    ViewData["Title"] = "Results";
-}
-
-<h1>Migrate Providers</h1>
-<h2>Migration Details: @Model.ProviderName</h2>
-<dl class="row">
-    <dt class="col-sm-4 col-lg-3">Id</dt>
-    <dd class="col-sm-8 col-lg-9"><code>@Model.ProviderId</code></dd>
-
-    <dt class="col-sm-4 col-lg-3">Result</dt>
-    <dd class="col-sm-8 col-lg-9">@Model.Result</dd>
-</dl>
-<h3>Client Organizations</h3>
-<div class="table-responsive">
-    <table class="table table-striped table-hover">
-        <thead>
-        <tr>
-            <th>ID</th>
-            <th>Name</th>
-            <th>Result</th>
-            <th>Previous State</th>
-        </tr>
-        </thead>
-        <tbody>
-        @foreach (var clientResult in Model.Clients)
-        {
-            <tr>
-                <td>@clientResult.OrganizationId</td>
-                <td>@clientResult.OrganizationName</td>
-                <td>@clientResult.Result</td>
-                <td><pre>@Html.Raw(JsonSerializer.Serialize(clientResult.PreviousState))</pre></td>
-            </tr>
-        }
-        </tbody>
-    </table>
-</div>
--- a/Show more
+++ b/Show more