[PM-26636] - Auto Confirm Org User Command (#6488)

* Adding auto confirm endpoint and initial command work. * Adding validator * Finished command implementation. * Enabled the feature renomved used method. Enabled the policy in the tests. * Added extension functions to allow for railroad programming. * Removed guid from route template. Added xml docs * Added validation for command. * Added default collection creation to command. * formatting. * Added additional error types and mapped to appropriate results. * Added tests for auto confirm validator * Adding tests * fixing file name * Cleaned up OrgUserController. Added integration tests. * Consolidated CommandResult and validation result stuff into a v2 directory. * changing result to match handle method. * Moves validation thenasync method. * Added brackets. * Updated XML comment * Adding idempotency comment. * Fixed up merge problems. Fixed return types for handle. * Renamed to ValidationRequest * I added some methods for CommandResult to cover some future use cases. Added ApplyAsync method to execute multiple functions against CommandResult without an error stopping the workflow for side-effects. * Fixed up logic around should create default colleciton. Added more methods for chaining ValidationResult together. Added logic for user type. * Clearing nullable enable. * Fixed up validator tests. * Tests for auto confirm command * Fixed up command result and AutoConfirmCommand. * Removed some unused methods. * Moved autoconfirm tests to their own class. * Moved some stuff around. Need to clean up creation of accepted org user yet. * Moved some more code around. Folded Key into accepted constructor. removed unneeded tests since key and accepted are now a part of AcceptedOrgUser Creation. * Clean up clean up everybody everywhere. Clean up clean up everybody do your share. * Another quick one * Removed aggregate Errors.cs * Cleaned up validator and fixed up tests. * Fixed auto confirm repo * Cleaned up command tests. * Unused method. * Restoring Bulk command back to what it was. deleted handle method for bulk. * Remove unused method. * removed unnecssary lines and comments * fixed layout. * Fixed test. * fixed spelling mistake. removed unused import. * Update test/Core.Test/AdminConsole/OrganizationFeatures/OrganizationUsers/AutoConfirmUsers/AutomaticallyConfirmUsersCommandTests.cs Co-authored-by: Rui Tomé <108268980+r-tome@users.noreply.github.com> * Ensuring collection is created before full sync. Cleaning up tests and added a few more. Added check that the policy is enabled. * Added org cleanup * Lowering to 5 to see if that helps the runner. * 🤷 * Trying this * Maybe this time will be different. * seeing if awaiting and checking independently will work in ci * I figured it out. Locally, it would be fast enough to all return NoContent, however in CI, its slow enough for it to return 400 due to the user already being confirmed via validation. * Updated tests and validator * Fixed name --------- Co-authored-by: Rui Tomé <108268980+r-tome@users.noreply.github.com>
2025-12-06 00:03:34 +00:00 · 2025-11-19 08:09:48 -06:00
parent a6f87c3f72
commit 1eb396cb40
33 changed files with 2431 additions and 99 deletions
--- a/src/Api/AdminConsole/Controllers/BaseAdminConsoleController.cs
+++ b/src/Api/AdminConsole/Controllers/BaseAdminConsoleController.cs
@@ -0,0 +1,26 @@
+using Bit.Core.AdminConsole.Utilities.v2;
+using Bit.Core.AdminConsole.Utilities.v2.Results;
+using Bit.Core.Models.Api;
+using Microsoft.AspNetCore.Mvc;
+
+namespace Bit.Api.AdminConsole.Controllers;
+
+public abstract class BaseAdminConsoleController : Controller
+{
+    protected static IResult Handle(CommandResult commandResult) =>
+        commandResult.Match<IResult>(
+            error => error switch
+            {
+                BadRequestError badRequest => TypedResults.BadRequest(new ErrorResponseModel(badRequest.Message)),
+                NotFoundError notFound => TypedResults.NotFound(new ErrorResponseModel(notFound.Message)),
+                InternalError internalError => TypedResults.Json(
+                    new ErrorResponseModel(internalError.Message),
+                    statusCode: StatusCodes.Status500InternalServerError),
+                _ => TypedResults.Json(
+                    new ErrorResponseModel(error.Message),
+                    statusCode: StatusCodes.Status500InternalServerError
+                )
+            },
+            _ => TypedResults.NoContent()
+        );
+}
--- a/src/Api/AdminConsole/Controllers/OrganizationUsersController.cs
+++ b/src/Api/AdminConsole/Controllers/OrganizationUsersController.cs
@@ -11,8 +11,10 @@ using Bit.Api.Models.Response;
 using Bit.Api.Vault.AuthorizationHandlers.Collections;
 using Bit.Core;
 using Bit.Core.AdminConsole.Enums;
+using Bit.Core.AdminConsole.Models.Data;
 using Bit.Core.AdminConsole.Models.Data.Organizations.Policies;
 using Bit.Core.AdminConsole.OrganizationFeatures.AccountRecovery;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.AutoConfirmUser;
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.DeleteClaimedAccount;
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Interfaces;
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers;
@@ -20,6 +22,7 @@ using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.RestoreUser.v
 using Bit.Core.AdminConsole.OrganizationFeatures.Policies;
 using Bit.Core.AdminConsole.OrganizationFeatures.Policies.PolicyRequirements;
 using Bit.Core.AdminConsole.Repositories;
+using Bit.Core.AdminConsole.Utilities.v2;
 using Bit.Core.Auth.Enums;
 using Bit.Core.Auth.Repositories;
 using Bit.Core.Billing.Pricing;
@@ -43,7 +46,7 @@ namespace Bit.Api.AdminConsole.Controllers;

 [Route("organizations/{orgId}/users")]
 [Authorize("Application")]
-public class OrganizationUsersController : Controller
+public class OrganizationUsersController : BaseAdminConsoleController
 {
    private readonly IOrganizationRepository _organizationRepository;
    private readonly IOrganizationUserRepository _organizationUserRepository;
@@ -68,6 +71,7 @@ public class OrganizationUsersController : Controller
    private readonly IFeatureService _featureService;
    private readonly IPricingClient _pricingClient;
    private readonly IResendOrganizationInviteCommand _resendOrganizationInviteCommand;
+    private readonly IAutomaticallyConfirmOrganizationUserCommand _automaticallyConfirmOrganizationUserCommand;
    private readonly IConfirmOrganizationUserCommand _confirmOrganizationUserCommand;
    private readonly IRestoreOrganizationUserCommand _restoreOrganizationUserCommand;
    private readonly IInitPendingOrganizationCommand _initPendingOrganizationCommand;
@@ -101,7 +105,8 @@ public class OrganizationUsersController : Controller
        IInitPendingOrganizationCommand initPendingOrganizationCommand,
        IRevokeOrganizationUserCommand revokeOrganizationUserCommand,
        IResendOrganizationInviteCommand resendOrganizationInviteCommand,
-        IAdminRecoverAccountCommand adminRecoverAccountCommand)
+        IAdminRecoverAccountCommand adminRecoverAccountCommand,
+        IAutomaticallyConfirmOrganizationUserCommand automaticallyConfirmOrganizationUserCommand)
    {
        _organizationRepository = organizationRepository;
        _organizationUserRepository = organizationUserRepository;
@@ -126,6 +131,7 @@ public class OrganizationUsersController : Controller
        _featureService = featureService;
        _pricingClient = pricingClient;
        _resendOrganizationInviteCommand = resendOrganizationInviteCommand;
+        _automaticallyConfirmOrganizationUserCommand = automaticallyConfirmOrganizationUserCommand;
        _confirmOrganizationUserCommand = confirmOrganizationUserCommand;
        _restoreOrganizationUserCommand = restoreOrganizationUserCommand;
        _initPendingOrganizationCommand = initPendingOrganizationCommand;
@@ -738,6 +744,31 @@ public class OrganizationUsersController : Controller
        await BulkEnableSecretsManagerAsync(orgId, model);
    }

+    [HttpPost("{id}/auto-confirm")]
+    [Authorize<ManageUsersRequirement>]
+    [RequireFeature(FeatureFlagKeys.AutomaticConfirmUsers)]
+    public async Task<IResult> AutomaticallyConfirmOrganizationUserAsync([FromRoute] Guid orgId,
+        [FromRoute] Guid id,
+        [FromBody] OrganizationUserConfirmRequestModel model)
+    {
+        var userId = _userService.GetProperUserId(User);
+
+        if (userId is null || userId.Value == Guid.Empty)
+        {
+            return TypedResults.Unauthorized();
+        }
+
+        return Handle(await _automaticallyConfirmOrganizationUserCommand.AutomaticallyConfirmOrganizationUserAsync(
+            new AutomaticallyConfirmOrganizationUserRequest
+            {
+                OrganizationId = orgId,
+                OrganizationUserId = id,
+                Key = model.Key,
+                DefaultUserCollectionName = model.DefaultUserCollectionName,
+                PerformedBy = new StandardUser(userId.Value, await _currentContext.OrganizationOwner(orgId)),
+            }));
+    }
+
    private async Task RestoreOrRevokeUserAsync(
        Guid orgId,
        Guid id,
--- a/src/Core/AdminConsole/Enums/EventType.cs
+++ b/src/Core/AdminConsole/Enums/EventType.cs
@@ -60,6 +60,7 @@ public enum EventType : int
    OrganizationUser_RejectedAuthRequest = 1514,
    OrganizationUser_Deleted = 1515, // Both user and organization user data were deleted
    OrganizationUser_Left = 1516,    // User voluntarily left the organization
+    OrganizationUser_AutomaticallyConfirmed = 1517,

    Organization_Updated = 1600,
    Organization_PurgedVault = 1601,
--- a/src/Core/AdminConsole/Models/Data/OrganizationUsers/AcceptedOrganizationUserToConfirm.cs
+++ b/src/Core/AdminConsole/Models/Data/OrganizationUsers/AcceptedOrganizationUserToConfirm.cs
@@ -0,0 +1,8 @@
+namespace Bit.Core.AdminConsole.Models.Data.OrganizationUsers;
+
+public record AcceptedOrganizationUserToConfirm
+{
+    public required Guid OrganizationUserId { get; init; }
+    public required Guid UserId { get; init; }
+    public required string Key { get; init; }
+}
--- a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/AutoConfirmUser/AutomaticallyConfirmOrganizationUserCommand.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/AutoConfirmUser/AutomaticallyConfirmOrganizationUserCommand.cs
@@ -0,0 +1,186 @@
+using Bit.Core.AdminConsole.Models.Data.OrganizationUsers;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Interfaces;
+using Bit.Core.AdminConsole.OrganizationFeatures.Policies;
+using Bit.Core.AdminConsole.OrganizationFeatures.Policies.PolicyRequirements;
+using Bit.Core.Entities;
+using Bit.Core.Enums;
+using Bit.Core.Models.Data;
+using Bit.Core.Platform.Push;
+using Bit.Core.Repositories;
+using Bit.Core.Services;
+using Microsoft.Extensions.Logging;
+using OneOf.Types;
+using CommandResult = Bit.Core.AdminConsole.Utilities.v2.Results.CommandResult;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.AutoConfirmUser;
+
+public class AutomaticallyConfirmOrganizationUserCommand(IOrganizationUserRepository organizationUserRepository,
+    IOrganizationRepository organizationRepository,
+    IAutomaticallyConfirmOrganizationUsersValidator validator,
+    IEventService eventService,
+    IMailService mailService,
+    IUserRepository userRepository,
+    IPushRegistrationService pushRegistrationService,
+    IDeviceRepository deviceRepository,
+    IPushNotificationService pushNotificationService,
+    IPolicyRequirementQuery policyRequirementQuery,
+    ICollectionRepository collectionRepository,
+    TimeProvider timeProvider,
+    ILogger<AutomaticallyConfirmOrganizationUserCommand> logger) : IAutomaticallyConfirmOrganizationUserCommand
+{
+    public async Task<CommandResult> AutomaticallyConfirmOrganizationUserAsync(AutomaticallyConfirmOrganizationUserRequest request)
+    {
+        var validatorRequest = await RetrieveDataAsync(request);
+
+        var validatedData = await validator.ValidateAsync(validatorRequest);
+
+        return await validatedData.Match<Task<CommandResult>>(
+            error => Task.FromResult(new CommandResult(error)),
+            async _ =>
+            {
+                var userToConfirm = new AcceptedOrganizationUserToConfirm
+                {
+                    OrganizationUserId = validatedData.Request.OrganizationUser!.Id,
+                    UserId = validatedData.Request.OrganizationUser.UserId!.Value,
+                    Key = validatedData.Request.Key
+                };
+
+                // This operation is idempotent. If false, the user is already confirmed and no additional side effects are required.
+                if (!await organizationUserRepository.ConfirmOrganizationUserAsync(userToConfirm))
+                {
+                    return new None();
+                }
+
+                await CreateDefaultCollectionsAsync(validatedData.Request);
+
+                await Task.WhenAll(
+                    LogOrganizationUserConfirmedEventAsync(validatedData.Request),
+                    SendConfirmedOrganizationUserEmailAsync(validatedData.Request),
+                    SyncOrganizationKeysAsync(validatedData.Request)
+                );
+
+                return new None();
+            }
+        );
+    }
+
+    private async Task SyncOrganizationKeysAsync(AutomaticallyConfirmOrganizationUserValidationRequest request)
+    {
+        await DeleteDeviceRegistrationAsync(request);
+        await PushSyncOrganizationKeysAsync(request);
+    }
+
+    private async Task CreateDefaultCollectionsAsync(AutomaticallyConfirmOrganizationUserValidationRequest request)
+    {
+        try
+        {
+            if (!await ShouldCreateDefaultCollectionAsync(request))
+            {
+                return;
+            }
+
+            await collectionRepository.CreateAsync(
+                new Collection
+                {
+                    OrganizationId = request.Organization!.Id,
+                    Name = request.DefaultUserCollectionName,
+                    Type = CollectionType.DefaultUserCollection
+                },
+                groups: null,
+                [new CollectionAccessSelection
+                {
+                    Id = request.OrganizationUser!.Id,
+                    Manage = true
+                }]);
+        }
+        catch (Exception ex)
+        {
+            logger.LogError(ex, "Failed to create default collection for user.");
+        }
+    }
+
+    /// <summary>
+    /// Determines whether a default collection should be created for an organization user during the confirmation process.
+    /// </summary>
+    /// <param name="request">
+    /// The validation request containing information about the user, organization, and collection settings.
+    /// </param>
+    /// <returns>The result is a boolean value indicating whether a default collection should be created.</returns>
+    private async Task<bool> ShouldCreateDefaultCollectionAsync(AutomaticallyConfirmOrganizationUserValidationRequest request) =>
+        !string.IsNullOrWhiteSpace(request.DefaultUserCollectionName)
+        && (await policyRequirementQuery.GetAsync<OrganizationDataOwnershipPolicyRequirement>(request.OrganizationUser!.UserId!.Value))
+            .RequiresDefaultCollectionOnConfirm(request.Organization!.Id);
+
+    private async Task PushSyncOrganizationKeysAsync(AutomaticallyConfirmOrganizationUserValidationRequest request)
+    {
+        try
+        {
+            await pushNotificationService.PushSyncOrgKeysAsync(request.OrganizationUser!.UserId!.Value);
+        }
+        catch (Exception ex)
+        {
+            logger.LogError(ex, "Failed to push organization keys.");
+        }
+    }
+
+    private async Task LogOrganizationUserConfirmedEventAsync(AutomaticallyConfirmOrganizationUserValidationRequest request)
+    {
+        try
+        {
+            await eventService.LogOrganizationUserEventAsync(request.OrganizationUser,
+                EventType.OrganizationUser_AutomaticallyConfirmed,
+                timeProvider.GetUtcNow().UtcDateTime);
+        }
+        catch (Exception ex)
+        {
+            logger.LogError(ex, "Failed to log OrganizationUser_AutomaticallyConfirmed event.");
+        }
+    }
+
+    private async Task SendConfirmedOrganizationUserEmailAsync(AutomaticallyConfirmOrganizationUserValidationRequest request)
+    {
+        try
+        {
+            var user = await userRepository.GetByIdAsync(request.OrganizationUser!.UserId!.Value);
+
+            await mailService.SendOrganizationConfirmedEmailAsync(request.Organization!.Name,
+                user!.Email,
+                request.OrganizationUser.AccessSecretsManager);
+        }
+        catch (Exception ex)
+        {
+            logger.LogError(ex, "Failed to send OrganizationUserConfirmed.");
+        }
+    }
+
+    private async Task DeleteDeviceRegistrationAsync(AutomaticallyConfirmOrganizationUserValidationRequest request)
+    {
+        try
+        {
+            var devices = (await deviceRepository.GetManyByUserIdAsync(request.OrganizationUser!.UserId!.Value))
+                    .Where(d => !string.IsNullOrWhiteSpace(d.PushToken))
+                    .Select(d => d.Id.ToString());
+
+            await pushRegistrationService.DeleteUserRegistrationOrganizationAsync(devices, request.Organization!.Id.ToString());
+        }
+        catch (Exception ex)
+        {
+            logger.LogError(ex, "Failed to delete device registration.");
+        }
+    }
+
+    private async Task<AutomaticallyConfirmOrganizationUserValidationRequest> RetrieveDataAsync(
+        AutomaticallyConfirmOrganizationUserRequest request)
+    {
+        return new AutomaticallyConfirmOrganizationUserValidationRequest
+        {
+            OrganizationUserId = request.OrganizationUserId,
+            OrganizationId = request.OrganizationId,
+            Key = request.Key,
+            DefaultUserCollectionName = request.DefaultUserCollectionName,
+            PerformedBy = request.PerformedBy,
+            OrganizationUser = await organizationUserRepository.GetByIdAsync(request.OrganizationUserId),
+            Organization = await organizationRepository.GetByIdAsync(request.OrganizationId)
+        };
+    }
+}
--- a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/AutoConfirmUser/AutomaticallyConfirmOrganizationUserRequest.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/AutoConfirmUser/AutomaticallyConfirmOrganizationUserRequest.cs
@@ -0,0 +1,29 @@
+using Bit.Core.AdminConsole.Entities;
+using Bit.Core.AdminConsole.Models.Data;
+using Bit.Core.Entities;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.AutoConfirmUser;
+
+/// <summary>
+/// Automatically Confirm User Command Request
+/// </summary>
+public record AutomaticallyConfirmOrganizationUserRequest
+{
+    public required Guid OrganizationUserId { get; init; }
+    public required Guid OrganizationId { get; init; }
+    public required string Key { get; init; }
+    public required string DefaultUserCollectionName { get; init; }
+    public required IActingUser PerformedBy { get; init; }
+}
+
+/// <summary>
+/// Automatically Confirm User Validation Request
+/// </summary>
+/// <remarks>
+/// This is used to hold retrieved data and pass it to the validator
+/// </remarks>
+public record AutomaticallyConfirmOrganizationUserValidationRequest : AutomaticallyConfirmOrganizationUserRequest
+{
+    public OrganizationUser? OrganizationUser { get; set; }
+    public Organization? Organization { get; set; }
+}
--- a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/AutoConfirmUser/AutomaticallyConfirmOrganizationUsersValidator.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/AutoConfirmUser/AutomaticallyConfirmOrganizationUsersValidator.cs
@@ -0,0 +1,116 @@
+using Bit.Core.AdminConsole.Enums;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.DeleteClaimedAccount;
+using Bit.Core.AdminConsole.OrganizationFeatures.Policies;
+using Bit.Core.AdminConsole.OrganizationFeatures.Policies.PolicyRequirements;
+using Bit.Core.AdminConsole.Repositories;
+using Bit.Core.AdminConsole.Utilities.v2;
+using Bit.Core.AdminConsole.Utilities.v2.Validation;
+using Bit.Core.Auth.UserFeatures.TwoFactorAuth.Interfaces;
+using Bit.Core.Enums;
+using Bit.Core.Repositories;
+using static Bit.Core.AdminConsole.Utilities.v2.Validation.ValidationResultHelpers;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.AutoConfirmUser;
+
+public class AutomaticallyConfirmOrganizationUsersValidator(
+    IOrganizationUserRepository organizationUserRepository,
+    ITwoFactorIsEnabledQuery twoFactorIsEnabledQuery,
+    IPolicyRequirementQuery policyRequirementQuery,
+    IPolicyRepository policyRepository) : IAutomaticallyConfirmOrganizationUsersValidator
+{
+    public async Task<ValidationResult<AutomaticallyConfirmOrganizationUserValidationRequest>> ValidateAsync(
+        AutomaticallyConfirmOrganizationUserValidationRequest request)
+    {
+        // User must exist
+        if (request is { OrganizationUser: null } || request.OrganizationUser is { UserId: null })
+        {
+            return Invalid(request, new UserNotFoundError());
+        }
+
+        // Organization must exist
+        if (request is { Organization: null })
+        {
+            return Invalid(request, new OrganizationNotFound());
+        }
+
+        // User must belong to the organization
+        if (request.OrganizationUser.OrganizationId != request.Organization.Id)
+        {
+            return Invalid(request, new OrganizationUserIdIsInvalid());
+        }
+
+        // User must be accepted
+        if (request is { OrganizationUser.Status: not OrganizationUserStatusType.Accepted })
+        {
+            return Invalid(request, new UserIsNotAccepted());
+        }
+
+        // User must be of type User
+        if (request is { OrganizationUser.Type: not OrganizationUserType.User })
+        {
+            return Invalid(request, new UserIsNotUserType());
+        }
+
+        if (!await OrganizationHasAutomaticallyConfirmUsersPolicyEnabledAsync(request))
+        {
+            return Invalid(request, new AutomaticallyConfirmUsersPolicyIsNotEnabled());
+        }
+
+        if (!await OrganizationUserConformsToTwoFactorRequiredPolicyAsync(request))
+        {
+            return Invalid(request, new UserDoesNotHaveTwoFactorEnabled());
+        }
+
+        if (await OrganizationUserConformsToSingleOrgPolicyAsync(request) is { } error)
+        {
+            return Invalid(request, error);
+        }
+
+        return Valid(request);
+    }
+
+    private async Task<bool> OrganizationHasAutomaticallyConfirmUsersPolicyEnabledAsync(
+            AutomaticallyConfirmOrganizationUserValidationRequest request) =>
+        await policyRepository.GetByOrganizationIdTypeAsync(request.OrganizationId,
+            PolicyType.AutomaticUserConfirmation) is { Enabled: true }
+        && request.Organization is { UseAutomaticUserConfirmation: true };
+
+    private async Task<bool> OrganizationUserConformsToTwoFactorRequiredPolicyAsync(AutomaticallyConfirmOrganizationUserValidationRequest request)
+    {
+        if ((await twoFactorIsEnabledQuery.TwoFactorIsEnabledAsync([request.OrganizationUser!.UserId!.Value]))
+            .Any(x => x.userId == request.OrganizationUser.UserId && x.twoFactorIsEnabled))
+        {
+            return true;
+        }
+
+        return !(await policyRequirementQuery.GetAsync<RequireTwoFactorPolicyRequirement>(request.OrganizationUser.UserId!.Value))
+            .IsTwoFactorRequiredForOrganization(request.Organization!.Id);
+    }
+
+    private async Task<Error?> OrganizationUserConformsToSingleOrgPolicyAsync(
+        AutomaticallyConfirmOrganizationUserValidationRequest request)
+    {
+        var allOrganizationUsersForUser = await organizationUserRepository
+            .GetManyByUserAsync(request.OrganizationUser!.UserId!.Value);
+
+        if (allOrganizationUsersForUser.Count == 1)
+        {
+            return null;
+        }
+
+        var policyRequirement = await policyRequirementQuery
+            .GetAsync<SingleOrganizationPolicyRequirement>(request.OrganizationUser!.UserId!.Value);
+
+        if (policyRequirement.IsSingleOrgEnabledForThisOrganization(request.Organization!.Id))
+        {
+            return new OrganizationEnforcesSingleOrgPolicy();
+        }
+
+        if (policyRequirement.IsSingleOrgEnabledForOrganizationsOtherThan(request.Organization.Id))
+        {
+            return new OtherOrganizationEnforcesSingleOrgPolicy();
+        }
+
+        return null;
+    }
+}
--- a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/AutoConfirmUser/Errors.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/AutoConfirmUser/Errors.cs
@@ -0,0 +1,13 @@
+using Bit.Core.AdminConsole.Utilities.v2;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.AutoConfirmUser;
+
+public record OrganizationNotFound() : NotFoundError("Invalid organization");
+public record FailedToWriteToEventLog() : InternalError("Failed to write to event log");
+public record UserIsNotUserType() : BadRequestError("Only organization users with the User role can be automatically confirmed");
+public record UserIsNotAccepted() : BadRequestError("Cannot confirm user that has not accepted the invitation.");
+public record OrganizationUserIdIsInvalid() : BadRequestError("Invalid organization user id.");
+public record UserDoesNotHaveTwoFactorEnabled() : BadRequestError("User does not have two-step login enabled.");
+public record OrganizationEnforcesSingleOrgPolicy() : BadRequestError("Cannot confirm this member to the organization until they leave or remove all other organizations");
+public record OtherOrganizationEnforcesSingleOrgPolicy() : BadRequestError("Cannot confirm this member to the organization because they are in another organization which forbids it.");
+public record AutomaticallyConfirmUsersPolicyIsNotEnabled() : BadRequestError("Cannot confirm this member because the Automatically Confirm Users policy is not enabled.");
--- a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/AutoConfirmUser/IAutomaticallyConfirmOrganizationUsersValidator.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/AutoConfirmUser/IAutomaticallyConfirmOrganizationUsersValidator.cs
@@ -0,0 +1,9 @@
+using Bit.Core.AdminConsole.Utilities.v2.Validation;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.AutoConfirmUser;
+
+public interface IAutomaticallyConfirmOrganizationUsersValidator
+{
+    Task<ValidationResult<AutomaticallyConfirmOrganizationUserValidationRequest>> ValidateAsync(
+        AutomaticallyConfirmOrganizationUserValidationRequest request);
+}
--- a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/DeleteClaimedAccount/DeleteClaimedOrganizationUserAccountCommand.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/DeleteClaimedAccount/DeleteClaimedOrganizationUserAccountCommand.cs
@@ -1,4 +1,6 @@
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Interfaces;
+using Bit.Core.AdminConsole.Utilities.v2.Results;
+using Bit.Core.AdminConsole.Utilities.v2.Validation;
 using Bit.Core.Entities;
 using Bit.Core.Enums;
 using Bit.Core.Exceptions;
--- a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/DeleteClaimedAccount/DeleteClaimedOrganizationUserAccountValidator.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/DeleteClaimedAccount/DeleteClaimedOrganizationUserAccountValidator.cs
@@ -1,8 +1,9 @@
 using Bit.Core.AdminConsole.Repositories;
+using Bit.Core.AdminConsole.Utilities.v2.Validation;
 using Bit.Core.Context;
 using Bit.Core.Enums;
 using Bit.Core.Repositories;
-using static Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.DeleteClaimedAccount.ValidationResultHelpers;
+using static Bit.Core.AdminConsole.Utilities.v2.Validation.ValidationResultHelpers;

 namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.DeleteClaimedAccount;

--- a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/DeleteClaimedAccount/Errors.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/DeleteClaimedAccount/Errors.cs
@@ -1,15 +1,6 @@
-namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.DeleteClaimedAccount;
+using Bit.Core.AdminConsole.Utilities.v2;

-/// <summary>
-/// A strongly typed error containing a reason that an action failed.
-/// This is used for business logic validation and other expected errors, not exceptions.
-/// </summary>
-public abstract record Error(string Message);
-/// <summary>
-/// An <see cref="Error"/> type that maps to a NotFoundResult at the api layer.
-/// </summary>
-/// <param name="Message"></param>
-public abstract record NotFoundError(string Message) : Error(Message);
+namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.DeleteClaimedAccount;

 public record UserNotFoundError() : NotFoundError("Invalid user.");
 public record UserNotClaimedError() : Error("Member is not claimed by the organization.");
--- a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/DeleteClaimedAccount/IDeleteClaimedOrganizationUserAccountCommand.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/DeleteClaimedAccount/IDeleteClaimedOrganizationUserAccountCommand.cs
@@ -1,4 +1,6 @@
-namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.DeleteClaimedAccount;
+using Bit.Core.AdminConsole.Utilities.v2.Results;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.DeleteClaimedAccount;

 public interface IDeleteClaimedOrganizationUserAccountCommand
 {
--- a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/DeleteClaimedAccount/IDeleteClaimedOrganizationUserAccountValidator.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/DeleteClaimedAccount/IDeleteClaimedOrganizationUserAccountValidator.cs
@@ -1,4 +1,6 @@
-namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.DeleteClaimedAccount;
+using Bit.Core.AdminConsole.Utilities.v2.Validation;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.DeleteClaimedAccount;

 public interface IDeleteClaimedOrganizationUserAccountValidator
 {
--- a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/Interfaces/IAutomaticallyConfirmOrganizationUserCommand.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/Interfaces/IAutomaticallyConfirmOrganizationUserCommand.cs
@@ -0,0 +1,40 @@
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.AutoConfirmUser;
+using Bit.Core.AdminConsole.Utilities.v2.Results;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Interfaces;
+
+/// <summary>
+/// Command to automatically confirm an organization user.
+/// </summary>
+/// <remarks>
+/// The auto-confirm feature enables eligible client apps to confirm OrganizationUsers
+/// automatically via push notifications, eliminating the need for manual administrator
+/// intervention. Client apps receive a push notification, perform the required key exchange,
+/// and submit an auto-confirm request to the server. This command processes those
+/// client-initiated requests and should only be used in that specific context.
+/// </remarks>
+public interface IAutomaticallyConfirmOrganizationUserCommand
+{
+    /// <summary>
+    /// Automatically confirms the organization user based on the provided request data.
+    /// </summary>
+    /// <param name="request">The request containing necessary information to confirm the organization user.</param>
+    /// <remarks>
+    /// This action has side effects. The side effects are
+    /// <ul>
+    ///   <li>Creating an event log entry.</li>
+    ///   <li>Syncing organization keys with the user.</li>
+    ///   <li>Deleting any registered user devices for the organization.</li>
+    ///   <li>Sending an email to the confirmed user.</li>
+    ///   <li>Creating the default collection if applicable.</li>
+    /// </ul>
+    ///
+    /// Each of these actions is performed independently of each other and not guaranteed to be performed in any order.
+    /// Errors will be reported back for the actions that failed in a consolidated error message.
+    /// </remarks>
+    /// <returns>
+    /// The result of the command. If there was an error, the result will contain a typed error describing the problem
+    /// that occurred.
+    /// </returns>
+    Task<CommandResult> AutomaticallyConfirmOrganizationUserAsync(AutomaticallyConfirmOrganizationUserRequest request);
+}
--- a/src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyRequirements/SingleOrganizationPolicyRequirement.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyRequirements/SingleOrganizationPolicyRequirement.cs
@@ -0,0 +1,21 @@
+using Bit.Core.AdminConsole.Enums;
+using Bit.Core.AdminConsole.Models.Data.Organizations.Policies;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.Policies.PolicyRequirements;
+
+public class SingleOrganizationPolicyRequirement(IEnumerable<PolicyDetails> policyDetails) : IPolicyRequirement
+{
+    public bool IsSingleOrgEnabledForThisOrganization(Guid organizationId) =>
+        policyDetails.Any(p => p.OrganizationId == organizationId);
+
+    public bool IsSingleOrgEnabledForOrganizationsOtherThan(Guid organizationId) =>
+        policyDetails.Any(p => p.OrganizationId != organizationId);
+}
+
+public class SingleOrganizationPolicyRequirementFactory : BasePolicyRequirementFactory<SingleOrganizationPolicyRequirement>
+{
+    public override PolicyType PolicyType => PolicyType.SingleOrg;
+
+    public override SingleOrganizationPolicyRequirement Create(IEnumerable<PolicyDetails> policyDetails) =>
+        new(policyDetails);
+}
--- a/src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyServiceCollectionExtensions.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyServiceCollectionExtensions.cs
@@ -65,5 +65,6 @@ public static class PolicyServiceCollectionExtensions
        services.AddScoped<IPolicyRequirementFactory<IPolicyRequirement>, RequireSsoPolicyRequirementFactory>();
        services.AddScoped<IPolicyRequirementFactory<IPolicyRequirement>, RequireTwoFactorPolicyRequirementFactory>();
        services.AddScoped<IPolicyRequirementFactory<IPolicyRequirement>, MasterPasswordPolicyRequirementFactory>();
+        services.AddScoped<IPolicyRequirementFactory<IPolicyRequirement>, SingleOrganizationPolicyRequirementFactory>();
    }
 }
--- a/src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyValidators/SingleOrgPolicyValidator.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyValidators/SingleOrgPolicyValidator.cs
@@ -1,6 +1,4 @@
-#nullable enable
-
-using Bit.Core.AdminConsole.Entities;
+using Bit.Core.AdminConsole.Entities;
 using Bit.Core.AdminConsole.Enums;
 using Bit.Core.AdminConsole.Models.Data;
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationDomains.Interfaces;
@@ -29,8 +27,6 @@ public class SingleOrgPolicyValidator : IPolicyValidator, IPolicyValidationEvent
    private readonly IOrganizationRepository _organizationRepository;
    private readonly ISsoConfigRepository _ssoConfigRepository;
    private readonly ICurrentContext _currentContext;
-    private readonly IFeatureService _featureService;
-    private readonly IRemoveOrganizationUserCommand _removeOrganizationUserCommand;
    private readonly IOrganizationHasVerifiedDomainsQuery _organizationHasVerifiedDomainsQuery;
    private readonly IRevokeNonCompliantOrganizationUserCommand _revokeNonCompliantOrganizationUserCommand;

@@ -40,8 +36,6 @@ public class SingleOrgPolicyValidator : IPolicyValidator, IPolicyValidationEvent
        IOrganizationRepository organizationRepository,
        ISsoConfigRepository ssoConfigRepository,
        ICurrentContext currentContext,
-        IFeatureService featureService,
-        IRemoveOrganizationUserCommand removeOrganizationUserCommand,
        IOrganizationHasVerifiedDomainsQuery organizationHasVerifiedDomainsQuery,
        IRevokeNonCompliantOrganizationUserCommand revokeNonCompliantOrganizationUserCommand)
    {
@@ -50,8 +44,6 @@ public class SingleOrgPolicyValidator : IPolicyValidator, IPolicyValidationEvent
        _organizationRepository = organizationRepository;
        _ssoConfigRepository = ssoConfigRepository;
        _currentContext = currentContext;
-        _featureService = featureService;
-        _removeOrganizationUserCommand = removeOrganizationUserCommand;
        _organizationHasVerifiedDomainsQuery = organizationHasVerifiedDomainsQuery;
        _revokeNonCompliantOrganizationUserCommand = revokeNonCompliantOrganizationUserCommand;
    }
--- a/src/Core/AdminConsole/Repositories/IOrganizationUserRepository.cs
+++ b/src/Core/AdminConsole/Repositories/IOrganizationUserRepository.cs
@@ -1,4 +1,5 @@
 using Bit.Core.AdminConsole.Enums;
+using Bit.Core.AdminConsole.Models.Data.OrganizationUsers;
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Models;
 using Bit.Core.Entities;
 using Bit.Core.Enums;
@@ -93,7 +94,7 @@ public interface IOrganizationUserRepository : IRepository<OrganizationUser, Gui
    ///
    /// This is an idempotent operation.
    /// </summary>
-    /// <param name="organizationUser">Accepted OrganizationUser to confirm</param>
+    /// <param name="organizationUserToConfirm">Accepted OrganizationUser to confirm</param>
    /// <returns>True, if the user was updated. False, if not performed.</returns>
-    Task<bool> ConfirmOrganizationUserAsync(OrganizationUser organizationUser);
+    Task<bool> ConfirmOrganizationUserAsync(AcceptedOrganizationUserToConfirm organizationUserToConfirm);
 }
--- a/src/Core/AdminConsole/Utilities/v2/Errors.cs
+++ b/src/Core/AdminConsole/Utilities/v2/Errors.cs
@@ -0,0 +1,15 @@
+namespace Bit.Core.AdminConsole.Utilities.v2;
+
+/// <summary>
+/// A strongly typed error containing a reason that an action failed.
+/// This is used for business logic validation and other expected errors, not exceptions.
+/// </summary>
+public abstract record Error(string Message);
+/// <summary>
+/// An <see cref="Error"/> type that maps to a NotFoundResult at the api layer.
+/// </summary>
+/// <param name="Message"></param>
+public abstract record NotFoundError(string Message) : Error(Message);
+
+public abstract record BadRequestError(string Message) : Error(Message);
+public abstract record InternalError(string Message) : Error(Message);
--- a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/DeleteClaimedAccount/CommandResult.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/DeleteClaimedAccount/CommandResult.cs
@@ -1,7 +1,7 @@
 using OneOf;
 using OneOf.Types;

-namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.DeleteClaimedAccount;
+namespace Bit.Core.AdminConsole.Utilities.v2.Results;

 /// <summary>
 /// Represents the result of a command.
@@ -39,4 +39,3 @@ public record BulkCommandResult<T>(Guid Id, CommandResult<T> Result);
 /// A wrapper for <see cref="CommandResult"/> with an ID, to identify the result in bulk operations.
 /// </summary>
 public record BulkCommandResult(Guid Id, CommandResult Result);
-
--- a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/DeleteClaimedAccount/ValidationResult.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/DeleteClaimedAccount/ValidationResult.cs
@@ -1,7 +1,7 @@
 using OneOf;
 using OneOf.Types;

-namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.DeleteClaimedAccount;
+namespace Bit.Core.AdminConsole.Utilities.v2.Validation;

 /// <summary>
 /// Represents the result of validating a request.
--- a/src/Core/OrganizationFeatures/OrganizationServiceCollectionExtensions.cs
+++ b/src/Core/OrganizationFeatures/OrganizationServiceCollectionExtensions.cs
@@ -14,6 +14,7 @@ using Bit.Core.AdminConsole.OrganizationFeatures.Organizations;
 using Bit.Core.AdminConsole.OrganizationFeatures.Organizations.Interfaces;
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers;
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Authorization;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.AutoConfirmUser;
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.DeleteClaimedAccount;
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Interfaces;
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers;
@@ -135,6 +136,8 @@ public static class OrganizationServiceCollectionExtensions
        services.AddScoped<IUpdateOrganizationUserGroupsCommand, UpdateOrganizationUserGroupsCommand>();
        services.AddScoped<IConfirmOrganizationUserCommand, ConfirmOrganizationUserCommand>();
        services.AddScoped<IAdminRecoverAccountCommand, AdminRecoverAccountCommand>();
+        services.AddScoped<IAutomaticallyConfirmOrganizationUserCommand, AutomaticallyConfirmOrganizationUserCommand>();
+        services.AddScoped<IAutomaticallyConfirmOrganizationUsersValidator, AutomaticallyConfirmOrganizationUsersValidator>();

        services.AddScoped<IDeleteClaimedOrganizationUserAccountCommand, DeleteClaimedOrganizationUserAccountCommand>();
        services.AddScoped<IDeleteClaimedOrganizationUserAccountValidator, DeleteClaimedOrganizationUserAccountValidator>();
--- a/src/Infrastructure.Dapper/AdminConsole/Repositories/OrganizationUserRepository.cs
+++ b/src/Infrastructure.Dapper/AdminConsole/Repositories/OrganizationUserRepository.cs
@@ -2,6 +2,7 @@
 using System.Text.Json;
 using Bit.Core.AdminConsole.Entities;
 using Bit.Core.AdminConsole.Enums;
+using Bit.Core.AdminConsole.Models.Data.OrganizationUsers;
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Models;
 using Bit.Core.AdminConsole.Utilities.DebuggingInstruments;
 using Bit.Core.Entities;
@@ -671,7 +672,7 @@ public class OrganizationUserRepository : Repository<OrganizationUser, Guid>, IO
            commandType: CommandType.StoredProcedure);
    }

-    public async Task<bool> ConfirmOrganizationUserAsync(OrganizationUser organizationUser)
+    public async Task<bool> ConfirmOrganizationUserAsync(AcceptedOrganizationUserToConfirm organizationUserToConfirm)
    {
        await using var connection = new SqlConnection(_marsConnectionString);

@@ -679,10 +680,10 @@ public class OrganizationUserRepository : Repository<OrganizationUser, Guid>, IO
            $"[{Schema}].[OrganizationUser_ConfirmById]",
            new
            {
-                organizationUser.Id,
-                organizationUser.UserId,
+                Id = organizationUserToConfirm.OrganizationUserId,
+                UserId = organizationUserToConfirm.UserId,
                RevisionDate = DateTime.UtcNow.Date,
-                Key = organizationUser.Key
+                Key = organizationUserToConfirm.Key
            });

        return rowCount > 0;
--- a/src/Infrastructure.EntityFramework/AdminConsole/Repositories/OrganizationUserRepository.cs
+++ b/src/Infrastructure.EntityFramework/AdminConsole/Repositories/OrganizationUserRepository.cs
@@ -3,6 +3,7 @@

 using AutoMapper;
 using Bit.Core.AdminConsole.Enums;
+using Bit.Core.AdminConsole.Models.Data.OrganizationUsers;
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Models;
 using Bit.Core.Enums;
 using Bit.Core.Exceptions;
@@ -943,23 +944,24 @@ public class OrganizationUserRepository : Repository<Core.Entities.OrganizationU
        await dbContext.SaveChangesAsync();
    }

-    public async Task<bool> ConfirmOrganizationUserAsync(Core.Entities.OrganizationUser organizationUser)
+    public async Task<bool> ConfirmOrganizationUserAsync(AcceptedOrganizationUserToConfirm organizationUserToConfirm)
    {
        using var scope = ServiceScopeFactory.CreateScope();
        await using var dbContext = GetDatabaseContext(scope);

        var result = await dbContext.OrganizationUsers
-            .Where(ou => ou.Id == organizationUser.Id && ou.Status == OrganizationUserStatusType.Accepted)
+            .Where(ou => ou.Id == organizationUserToConfirm.OrganizationUserId
+                         && ou.Status == OrganizationUserStatusType.Accepted)
            .ExecuteUpdateAsync(x => x
                .SetProperty(y => y.Status, OrganizationUserStatusType.Confirmed)
-                .SetProperty(y => y.Key, organizationUser.Key));
+                .SetProperty(y => y.Key, organizationUserToConfirm.Key));

        if (result <= 0)
        {
            return false;
        }

-        await dbContext.UserBumpAccountRevisionDateByOrganizationUserIdAsync(organizationUser.Id);
+        await dbContext.UserBumpAccountRevisionDateByOrganizationUserIdAsync(organizationUserToConfirm.OrganizationUserId);
        return true;

    }
--- a/src/Infrastructure.EntityFramework/AdminConsole/Repositories/PolicyRepository.cs
+++ b/src/Infrastructure.EntityFramework/AdminConsole/Repositories/PolicyRepository.cs
@@ -217,7 +217,7 @@ public class PolicyRepository : Repository<AdminConsoleEntities.Policy, Policy,
                                      UserId = u.Id
                                  }).ToListAsync();

-        // Combine results with provder lookup
+        // Combine results with the provider lookup
        var allResults = acceptedUsers.Concat(invitedUsers)
            .Select(item => new OrganizationPolicyDetails
            {
--- a/test/Api.IntegrationTest/AdminConsole/Controllers/OrganizationUserControllerAutoConfirmTests.cs
+++ b/test/Api.IntegrationTest/AdminConsole/Controllers/OrganizationUserControllerAutoConfirmTests.cs
@@ -0,0 +1,225 @@
+using System.Net;
+using Bit.Api.AdminConsole.Models.Request.Organizations;
+using Bit.Api.IntegrationTest.Factories;
+using Bit.Api.IntegrationTest.Helpers;
+using Bit.Core;
+using Bit.Core.AdminConsole.Entities;
+using Bit.Core.AdminConsole.Enums;
+using Bit.Core.AdminConsole.Repositories;
+using Bit.Core.Billing.Enums;
+using Bit.Core.Enums;
+using Bit.Core.Models.Data;
+using Bit.Core.Repositories;
+using Bit.Core.Services;
+using NSubstitute;
+using Xunit;
+
+namespace Bit.Api.IntegrationTest.AdminConsole.Controllers;
+
+public class OrganizationUserControllerAutoConfirmTests : IClassFixture<ApiApplicationFactory>, IAsyncLifetime
+{
+    private const string _mockEncryptedString = "2.AOs41Hd8OQiCPXjyJKCiDA==|O6OHgt2U2hJGBSNGnimJmg==|iD33s8B69C8JhYYhSa4V1tArjvLr8eEaGqOV7BRo5Jk=";
+
+    private readonly HttpClient _client;
+    private readonly ApiApplicationFactory _factory;
+    private readonly LoginHelper _loginHelper;
+
+    private string _ownerEmail = null!;
+
+    public OrganizationUserControllerAutoConfirmTests(ApiApplicationFactory apiFactory)
+    {
+        _factory = apiFactory;
+        _factory.SubstituteService<IFeatureService>(featureService =>
+        {
+            featureService
+                .IsEnabled(FeatureFlagKeys.AutomaticConfirmUsers)
+                .Returns(true);
+        });
+        _client = _factory.CreateClient();
+        _loginHelper = new LoginHelper(_factory, _client);
+    }
+
+    public async Task InitializeAsync()
+    {
+        _ownerEmail = $"org-owner-{Guid.NewGuid()}@example.com";
+        await _factory.LoginWithNewAccount(_ownerEmail);
+    }
+
+    [Fact]
+    public async Task AutoConfirm_WhenUserCannotManageOtherUsers_ThenShouldReturnForbidden()
+    {
+        var (organization, _) = await OrganizationTestHelpers.SignUpAsync(_factory, plan: PlanType.EnterpriseAnnually2023,
+            ownerEmail: _ownerEmail, passwordManagerSeats: 5, paymentMethod: PaymentMethodType.Card);
+
+        organization.UseAutomaticUserConfirmation = true;
+
+        await _factory.GetService<IOrganizationRepository>()
+            .UpsertAsync(organization);
+
+        var testKey = $"test-key-{Guid.NewGuid()}";
+
+        var userToConfirmEmail = $"org-user-to-confirm-{Guid.NewGuid()}@example.com";
+        await _factory.LoginWithNewAccount(userToConfirmEmail);
+
+        var (confirmingUserEmail, _) = await OrganizationTestHelpers.CreateNewUserWithAccountAsync(_factory, organization.Id, OrganizationUserType.User);
+        await _loginHelper.LoginAsync(confirmingUserEmail);
+
+        var organizationUser = await OrganizationTestHelpers.CreateUserAsync(
+            _factory,
+            organization.Id,
+            userToConfirmEmail,
+            OrganizationUserType.User,
+            false,
+            new Permissions { ManageUsers = false },
+            OrganizationUserStatusType.Accepted);
+
+        var result = await _client.PostAsJsonAsync($"organizations/{organization.Id}/users/{organizationUser.Id}/auto-confirm",
+            new OrganizationUserConfirmRequestModel
+            {
+                Key = testKey,
+                DefaultUserCollectionName = _mockEncryptedString
+            });
+
+        Assert.Equal(HttpStatusCode.Forbidden, result.StatusCode);
+
+        await _factory.GetService<IOrganizationRepository>().DeleteAsync(organization);
+    }
+
+    [Fact]
+    public async Task AutoConfirm_WhenOwnerConfirmsValidUser_ThenShouldReturnNoContent()
+    {
+        var (organization, _) = await OrganizationTestHelpers.SignUpAsync(_factory, plan: PlanType.EnterpriseAnnually2023,
+            ownerEmail: _ownerEmail, passwordManagerSeats: 5, paymentMethod: PaymentMethodType.Card);
+
+        organization.UseAutomaticUserConfirmation = true;
+
+        await _factory.GetService<IOrganizationRepository>()
+            .UpsertAsync(organization);
+
+        var testKey = $"test-key-{Guid.NewGuid()}";
+
+        await _factory.GetService<IPolicyRepository>().CreateAsync(new Policy
+        {
+            OrganizationId = organization.Id,
+            Type = PolicyType.AutomaticUserConfirmation,
+            Enabled = true
+        });
+
+        await _factory.GetService<IPolicyRepository>().CreateAsync(new Policy
+        {
+            OrganizationId = organization.Id,
+            Type = PolicyType.OrganizationDataOwnership,
+            Enabled = true
+        });
+
+        var userToConfirmEmail = $"org-user-to-confirm-{Guid.NewGuid()}@example.com";
+        await _factory.LoginWithNewAccount(userToConfirmEmail);
+
+        await _loginHelper.LoginAsync(_ownerEmail);
+        var organizationUser = await OrganizationTestHelpers.CreateUserAsync(
+            _factory,
+            organization.Id,
+            userToConfirmEmail,
+            OrganizationUserType.User,
+            false,
+            new Permissions(),
+            OrganizationUserStatusType.Accepted);
+
+        var result = await _client.PostAsJsonAsync($"organizations/{organization.Id}/users/{organizationUser.Id}/auto-confirm",
+            new OrganizationUserConfirmRequestModel
+            {
+                Key = testKey,
+                DefaultUserCollectionName = _mockEncryptedString
+            });
+
+        Assert.Equal(HttpStatusCode.NoContent, result.StatusCode);
+
+        var orgUserRepository = _factory.GetService<IOrganizationUserRepository>();
+        var confirmedUser = await orgUserRepository.GetByIdAsync(organizationUser.Id);
+        Assert.NotNull(confirmedUser);
+        Assert.Equal(OrganizationUserStatusType.Confirmed, confirmedUser.Status);
+        Assert.Equal(testKey, confirmedUser.Key);
+
+        var collectionRepository = _factory.GetService<ICollectionRepository>();
+        var collections = await collectionRepository.GetManyByUserIdAsync(organizationUser.UserId!.Value);
+
+        Assert.NotEmpty(collections);
+        Assert.Single(collections.Where(c => c.Type == CollectionType.DefaultUserCollection));
+
+        await _factory.GetService<IOrganizationRepository>().DeleteAsync(organization);
+    }
+
+    [Fact]
+    public async Task AutoConfirm_WhenUserIsConfirmedMultipleTimes_ThenShouldSuccessAndOnlyConfirmOneUser()
+    {
+        var (organization, _) = await OrganizationTestHelpers.SignUpAsync(_factory, plan: PlanType.EnterpriseAnnually2023,
+            ownerEmail: _ownerEmail, passwordManagerSeats: 5, paymentMethod: PaymentMethodType.Card);
+
+        organization.UseAutomaticUserConfirmation = true;
+
+        await _factory.GetService<IOrganizationRepository>()
+            .UpsertAsync(organization);
+
+        var testKey = $"test-key-{Guid.NewGuid()}";
+
+        var userToConfirmEmail = $"org-user-to-confirm-{Guid.NewGuid()}@example.com";
+        await _factory.LoginWithNewAccount(userToConfirmEmail);
+
+        await _factory.GetService<IPolicyRepository>().CreateAsync(new Policy
+        {
+            OrganizationId = organization.Id,
+            Type = PolicyType.AutomaticUserConfirmation,
+            Enabled = true
+        });
+
+        await _factory.GetService<IPolicyRepository>().CreateAsync(new Policy
+        {
+            OrganizationId = organization.Id,
+            Type = PolicyType.OrganizationDataOwnership,
+            Enabled = true
+        });
+
+        await _loginHelper.LoginAsync(_ownerEmail);
+
+        var organizationUser = await OrganizationTestHelpers.CreateUserAsync(
+            _factory,
+            organization.Id,
+            userToConfirmEmail,
+            OrganizationUserType.User,
+            false,
+            new Permissions(),
+            OrganizationUserStatusType.Accepted);
+
+        var tenRequests = Enumerable.Range(0, 10)
+            .Select(_ => _client.PostAsJsonAsync($"organizations/{organization.Id}/users/{organizationUser.Id}/auto-confirm",
+                new OrganizationUserConfirmRequestModel
+                {
+                    Key = testKey,
+                    DefaultUserCollectionName = _mockEncryptedString
+                })).ToList();
+
+        var results = await Task.WhenAll(tenRequests);
+
+        Assert.Contains(results, r => r.StatusCode == HttpStatusCode.NoContent);
+
+        var orgUserRepository = _factory.GetService<IOrganizationUserRepository>();
+        var confirmedUser = await orgUserRepository.GetByIdAsync(organizationUser.Id);
+        Assert.NotNull(confirmedUser);
+        Assert.Equal(OrganizationUserStatusType.Confirmed, confirmedUser.Status);
+        Assert.Equal(testKey, confirmedUser.Key);
+
+        var collections = await _factory.GetService<ICollectionRepository>()
+            .GetManyByUserIdAsync(organizationUser.UserId!.Value);
+        Assert.NotEmpty(collections);
+        // validates user only received one default collection
+        Assert.Single(collections.Where(c => c.Type == CollectionType.DefaultUserCollection));
+
+        await _factory.GetService<IOrganizationRepository>().DeleteAsync(organization);
+    }
+
+    public Task DisposeAsync()
+    {
+        _client.Dispose();
+        return Task.CompletedTask;
+    }
+}
--- a/test/Api.Test/AdminConsole/Controllers/OrganizationUsersControllerTests.cs
+++ b/test/Api.Test/AdminConsole/Controllers/OrganizationUsersControllerTests.cs
@@ -9,10 +9,12 @@ using Bit.Core.AdminConsole.Entities;
 using Bit.Core.AdminConsole.Enums;
 using Bit.Core.AdminConsole.Models.Data.Organizations.Policies;
 using Bit.Core.AdminConsole.OrganizationFeatures.AccountRecovery;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.AutoConfirmUser;
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Interfaces;
 using Bit.Core.AdminConsole.OrganizationFeatures.Policies;
 using Bit.Core.AdminConsole.OrganizationFeatures.Policies.PolicyRequirements;
 using Bit.Core.AdminConsole.Repositories;
+using Bit.Core.AdminConsole.Utilities.v2.Results;
 using Bit.Core.Auth.Entities;
 using Bit.Core.Auth.Repositories;
 using Bit.Core.Context;
@@ -33,9 +35,11 @@ using Bit.Test.Common.AutoFixture.Attributes;
 using Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Interfaces;
 using Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Requests;
 using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Http;
 using Microsoft.AspNetCore.Http.HttpResults;
 using Microsoft.AspNetCore.Mvc.ModelBinding;
 using NSubstitute;
+using OneOf.Types;
 using Xunit;

 namespace Bit.Api.Test.AdminConsole.Controllers;
@@ -476,7 +480,7 @@ public class OrganizationUsersControllerTests

        var result = await sutProvider.Sut.PutResetPassword(orgId, orgUserId, model);

-        Assert.IsType<NotFound>(result);
+        Assert.IsType<Microsoft.AspNetCore.Http.HttpResults.NotFound>(result);
    }

    [Theory]
@@ -506,7 +510,7 @@ public class OrganizationUsersControllerTests

        var result = await sutProvider.Sut.PutResetPassword(orgId, orgUserId, model);

-        Assert.IsType<NotFound>(result);
+        Assert.IsType<Microsoft.AspNetCore.Http.HttpResults.NotFound>(result);
    }

    [Theory]
@@ -521,7 +525,7 @@ public class OrganizationUsersControllerTests

        var result = await sutProvider.Sut.PutResetPassword(orgId, orgUserId, model);

-        Assert.IsType<NotFound>(result);
+        Assert.IsType<Microsoft.AspNetCore.Http.HttpResults.NotFound>(result);
    }

    [Theory]
@@ -594,4 +598,190 @@ public class OrganizationUsersControllerTests

        Assert.IsType<BadRequest<ModelStateDictionary>>(result);
    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task AutomaticallyConfirmOrganizationUserAsync_UserIdNull_ReturnsUnauthorized(
+        Guid orgId,
+        Guid orgUserId,
+        OrganizationUserConfirmRequestModel model,
+        SutProvider<OrganizationUsersController> sutProvider)
+    {
+        // Arrange
+        sutProvider.GetDependency<IFeatureService>()
+            .IsEnabled(FeatureFlagKeys.AutomaticConfirmUsers)
+            .Returns(true);
+
+        sutProvider.GetDependency<IUserService>()
+            .GetProperUserId(Arg.Any<ClaimsPrincipal>())
+            .Returns((Guid?)null);
+
+        // Act
+        var result = await sutProvider.Sut.AutomaticallyConfirmOrganizationUserAsync(orgId, orgUserId, model);
+
+        // Assert
+        Assert.IsType<UnauthorizedHttpResult>(result);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task AutomaticallyConfirmOrganizationUserAsync_UserIdEmpty_ReturnsUnauthorized(
+        Guid orgId,
+        Guid orgUserId,
+        OrganizationUserConfirmRequestModel model,
+        SutProvider<OrganizationUsersController> sutProvider)
+    {
+        // Arrange
+        sutProvider.GetDependency<IFeatureService>()
+            .IsEnabled(FeatureFlagKeys.AutomaticConfirmUsers)
+            .Returns(true);
+
+        sutProvider.GetDependency<IUserService>()
+            .GetProperUserId(Arg.Any<ClaimsPrincipal>())
+            .Returns(Guid.Empty);
+
+        // Act
+        var result = await sutProvider.Sut.AutomaticallyConfirmOrganizationUserAsync(orgId, orgUserId, model);
+
+        // Assert
+        Assert.IsType<UnauthorizedHttpResult>(result);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task AutomaticallyConfirmOrganizationUserAsync_Success_ReturnsOk(
+        Guid orgId,
+        Guid orgUserId,
+        Guid userId,
+        OrganizationUserConfirmRequestModel model,
+        SutProvider<OrganizationUsersController> sutProvider)
+    {
+        // Arrange
+        sutProvider.GetDependency<IFeatureService>()
+            .IsEnabled(FeatureFlagKeys.AutomaticConfirmUsers)
+            .Returns(true);
+
+        sutProvider.GetDependency<IUserService>()
+            .GetProperUserId(Arg.Any<ClaimsPrincipal>())
+            .Returns(userId);
+
+        sutProvider.GetDependency<ICurrentContext>()
+            .OrganizationOwner(orgId)
+            .Returns(true);
+
+        sutProvider.GetDependency<IAutomaticallyConfirmOrganizationUserCommand>()
+            .AutomaticallyConfirmOrganizationUserAsync(Arg.Any<AutomaticallyConfirmOrganizationUserRequest>())
+            .Returns(new CommandResult(new None()));
+
+        // Act
+        var result = await sutProvider.Sut.AutomaticallyConfirmOrganizationUserAsync(orgId, orgUserId, model);
+
+        // Assert
+        Assert.IsType<NoContent>(result);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task AutomaticallyConfirmOrganizationUserAsync_NotFoundError_ReturnsNotFound(
+        Guid orgId,
+        Guid orgUserId,
+        Guid userId,
+        OrganizationUserConfirmRequestModel model,
+        SutProvider<OrganizationUsersController> sutProvider)
+    {
+        // Arrange
+        sutProvider.GetDependency<IFeatureService>()
+            .IsEnabled(FeatureFlagKeys.AutomaticConfirmUsers)
+            .Returns(true);
+
+        sutProvider.GetDependency<IUserService>()
+            .GetProperUserId(Arg.Any<ClaimsPrincipal>())
+            .Returns(userId);
+
+        sutProvider.GetDependency<ICurrentContext>()
+            .OrganizationOwner(orgId)
+            .Returns(false);
+
+        var notFoundError = new OrganizationNotFound();
+        sutProvider.GetDependency<IAutomaticallyConfirmOrganizationUserCommand>()
+            .AutomaticallyConfirmOrganizationUserAsync(Arg.Any<AutomaticallyConfirmOrganizationUserRequest>())
+            .Returns(new CommandResult(notFoundError));
+
+        // Act
+        var result = await sutProvider.Sut.AutomaticallyConfirmOrganizationUserAsync(orgId, orgUserId, model);
+
+        // Assert
+        var notFoundResult = Assert.IsType<NotFound<ErrorResponseModel>>(result);
+        Assert.Equal(notFoundError.Message, notFoundResult.Value.Message);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task AutomaticallyConfirmOrganizationUserAsync_BadRequestError_ReturnsBadRequest(
+        Guid orgId,
+        Guid orgUserId,
+        Guid userId,
+        OrganizationUserConfirmRequestModel model,
+        SutProvider<OrganizationUsersController> sutProvider)
+    {
+        // Arrange
+        sutProvider.GetDependency<IFeatureService>()
+            .IsEnabled(FeatureFlagKeys.AutomaticConfirmUsers)
+            .Returns(true);
+
+        sutProvider.GetDependency<IUserService>()
+            .GetProperUserId(Arg.Any<ClaimsPrincipal>())
+            .Returns(userId);
+
+        sutProvider.GetDependency<ICurrentContext>()
+            .OrganizationOwner(orgId)
+            .Returns(true);
+
+        var badRequestError = new UserIsNotAccepted();
+        sutProvider.GetDependency<IAutomaticallyConfirmOrganizationUserCommand>()
+            .AutomaticallyConfirmOrganizationUserAsync(Arg.Any<AutomaticallyConfirmOrganizationUserRequest>())
+            .Returns(new CommandResult(badRequestError));
+
+        // Act
+        var result = await sutProvider.Sut.AutomaticallyConfirmOrganizationUserAsync(orgId, orgUserId, model);
+
+        // Assert
+        var badRequestResult = Assert.IsType<BadRequest<ErrorResponseModel>>(result);
+        Assert.Equal(badRequestError.Message, badRequestResult.Value.Message);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task AutomaticallyConfirmOrganizationUserAsync_InternalError_ReturnsProblem(
+        Guid orgId,
+        Guid orgUserId,
+        Guid userId,
+        OrganizationUserConfirmRequestModel model,
+        SutProvider<OrganizationUsersController> sutProvider)
+    {
+        // Arrange
+        sutProvider.GetDependency<IFeatureService>()
+            .IsEnabled(FeatureFlagKeys.AutomaticConfirmUsers)
+            .Returns(true);
+
+        sutProvider.GetDependency<IUserService>()
+            .GetProperUserId(Arg.Any<ClaimsPrincipal>())
+            .Returns(userId);
+
+        sutProvider.GetDependency<ICurrentContext>()
+            .OrganizationOwner(orgId)
+            .Returns(true);
+
+        var internalError = new FailedToWriteToEventLog();
+        sutProvider.GetDependency<IAutomaticallyConfirmOrganizationUserCommand>()
+            .AutomaticallyConfirmOrganizationUserAsync(Arg.Any<AutomaticallyConfirmOrganizationUserRequest>())
+            .Returns(new CommandResult(internalError));
+
+        // Act
+        var result = await sutProvider.Sut.AutomaticallyConfirmOrganizationUserAsync(orgId, orgUserId, model);
+
+        // Assert
+        var problemResult = Assert.IsType<JsonHttpResult<ErrorResponseModel>>(result);
+        Assert.Equal(StatusCodes.Status500InternalServerError, problemResult.StatusCode);
+    }
 }
--- a/test/Core.Test/AdminConsole/AutoFixture/OrganizationFixtures.cs
+++ b/test/Core.Test/AdminConsole/AutoFixture/OrganizationFixtures.cs
@@ -1,6 +1,8 @@
-using System.Text.Json;
+using System.Reflection;
+using System.Text.Json;
 using AutoFixture;
 using AutoFixture.Kernel;
+using AutoFixture.Xunit2;
 using Bit.Core.AdminConsole.Entities;
 using Bit.Core.Auth.Enums;
 using Bit.Core.Auth.Models;
@@ -20,6 +22,18 @@ public class OrganizationCustomization : ICustomization
 {
    public bool UseGroups { get; set; }
    public PlanType PlanType { get; set; }
+    public bool UseAutomaticUserConfirmation { get; set; }
+
+    public OrganizationCustomization()
+    {
+
+    }
+
+    public OrganizationCustomization(bool useAutomaticUserConfirmation, PlanType planType)
+    {
+        UseAutomaticUserConfirmation = useAutomaticUserConfirmation;
+        PlanType = planType;
+    }

    public void Customize(IFixture fixture)
    {
@@ -37,7 +51,8 @@ public class OrganizationCustomization : ICustomization
            .With(o => o.UseGroups, UseGroups)
            .With(o => o.PlanType, PlanType)
            .With(o => o.Seats, seats)
-            .With(o => o.SmSeats, smSeats));
+            .With(o => o.SmSeats, smSeats)
+            .With(o => o.UseAutomaticUserConfirmation, UseAutomaticUserConfirmation));

        fixture.Customize<Collection>(composer =>
            composer
@@ -277,3 +292,9 @@ internal class EphemeralDataProtectionAutoDataAttribute : CustomAutoDataAttribut
    public EphemeralDataProtectionAutoDataAttribute() : base(new SutProviderCustomization(), new EphemeralDataProtectionCustomization())
    { }
 }
+
+internal class OrganizationAttribute(bool useAutomaticUserConfirmation = false, PlanType planType = PlanType.Free) : CustomizeAttribute
+{
+    public override ICustomization GetCustomization(ParameterInfo parameter) =>
+        new OrganizationCustomization(useAutomaticUserConfirmation, planType);
+}
--- a/test/Core.Test/AdminConsole/OrganizationFeatures/OrganizationUsers/AutoConfirmUsers/AutomaticallyConfirmOrganizationUsersValidatorTests.cs
+++ b/test/Core.Test/AdminConsole/OrganizationFeatures/OrganizationUsers/AutoConfirmUsers/AutomaticallyConfirmOrganizationUsersValidatorTests.cs
@@ -0,0 +1,696 @@
+using Bit.Core.AdminConsole.Entities;
+using Bit.Core.AdminConsole.Enums;
+using Bit.Core.AdminConsole.Models.Data;
+using Bit.Core.AdminConsole.Models.Data.Organizations.Policies;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.AutoConfirmUser;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.DeleteClaimedAccount;
+using Bit.Core.AdminConsole.OrganizationFeatures.Policies;
+using Bit.Core.AdminConsole.OrganizationFeatures.Policies.PolicyRequirements;
+using Bit.Core.AdminConsole.Repositories;
+using Bit.Core.Auth.UserFeatures.TwoFactorAuth.Interfaces;
+using Bit.Core.Billing.Enums;
+using Bit.Core.Entities;
+using Bit.Core.Enums;
+using Bit.Core.Repositories;
+using Bit.Core.Test.AdminConsole.AutoFixture;
+using Bit.Core.Test.AutoFixture.OrganizationFixtures;
+using Bit.Core.Test.AutoFixture.OrganizationUserFixtures;
+using Bit.Test.Common.AutoFixture;
+using Bit.Test.Common.AutoFixture.Attributes;
+using NSubstitute;
+using Xunit;
+
+namespace Bit.Core.Test.AdminConsole.OrganizationFeatures.OrganizationUsers.AutoConfirmUsers;
+
+[SutProviderCustomize]
+public class AutomaticallyConfirmOrganizationUsersValidatorTests
+{
+    [Theory]
+    [BitAutoData]
+    public async Task ValidateAsync_WithNullOrganizationUser_ReturnsUserNotFoundError(
+        SutProvider<AutomaticallyConfirmOrganizationUsersValidator> sutProvider,
+        Organization organization)
+    {
+        // Arrange
+        var request = new AutomaticallyConfirmOrganizationUserValidationRequest
+        {
+            PerformedBy = Substitute.For<IActingUser>(),
+            DefaultUserCollectionName = "test-collection",
+            OrganizationUser = null,
+            OrganizationUserId = Guid.NewGuid(),
+            Organization = organization,
+            OrganizationId = organization.Id,
+            Key = "test-key"
+        };
+
+        // Act
+        var result = await sutProvider.Sut.ValidateAsync(request);
+
+        // Assert
+        Assert.True(result.IsError);
+        Assert.IsType<UserNotFoundError>(result.AsError);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task ValidateAsync_WithNullUserId_ReturnsUserNotFoundError(
+        SutProvider<AutomaticallyConfirmOrganizationUsersValidator> sutProvider,
+        Organization organization,
+        [OrganizationUser(OrganizationUserStatusType.Accepted)] OrganizationUser organizationUser)
+    {
+        // Arrange
+        organizationUser.UserId = null;
+        organizationUser.OrganizationId = organization.Id;
+
+        var request = new AutomaticallyConfirmOrganizationUserValidationRequest
+        {
+            PerformedBy = Substitute.For<IActingUser>(),
+            DefaultUserCollectionName = "test-collection",
+            OrganizationUser = organizationUser,
+            OrganizationUserId = organizationUser.Id,
+            Organization = organization,
+            OrganizationId = organization.Id,
+            Key = "test-key"
+        };
+
+        // Act
+        var result = await sutProvider.Sut.ValidateAsync(request);
+
+        // Assert
+        Assert.True(result.IsError);
+        Assert.IsType<UserNotFoundError>(result.AsError);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task ValidateAsync_WithNullOrganization_ReturnsOrganizationNotFoundError(
+        SutProvider<AutomaticallyConfirmOrganizationUsersValidator> sutProvider,
+        [OrganizationUser(OrganizationUserStatusType.Accepted)] OrganizationUser organizationUser,
+        Guid userId)
+    {
+        // Arrange
+        organizationUser.UserId = userId;
+
+        var request = new AutomaticallyConfirmOrganizationUserValidationRequest
+        {
+            PerformedBy = Substitute.For<IActingUser>(),
+            DefaultUserCollectionName = "test-collection",
+            OrganizationUser = organizationUser,
+            OrganizationUserId = organizationUser.Id,
+            Organization = null,
+            OrganizationId = organizationUser.OrganizationId,
+            Key = "test-key"
+        };
+
+        // Act
+        var result = await sutProvider.Sut.ValidateAsync(request);
+
+        // Assert
+        Assert.True(result.IsError);
+        Assert.IsType<OrganizationNotFound>(result.AsError);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task ValidateAsync_WithValidAcceptedUser_ReturnsValidResult(
+        SutProvider<AutomaticallyConfirmOrganizationUsersValidator> sutProvider,
+        [Organization(useAutomaticUserConfirmation: true, planType: PlanType.EnterpriseAnnually)] Organization organization,
+        [OrganizationUser(OrganizationUserStatusType.Accepted)] OrganizationUser organizationUser,
+        Guid userId,
+        [Policy(PolicyType.AutomaticUserConfirmation)] Policy autoConfirmPolicy)
+    {
+        // Arrange
+        organizationUser.UserId = userId;
+        organizationUser.OrganizationId = organization.Id;
+
+        var request = new AutomaticallyConfirmOrganizationUserValidationRequest
+        {
+            PerformedBy = Substitute.For<IActingUser>(),
+            DefaultUserCollectionName = "test-collection",
+            OrganizationUser = organizationUser,
+            OrganizationUserId = organizationUser.Id,
+            Organization = organization,
+            OrganizationId = organization.Id,
+            Key = "test-key"
+        };
+
+        sutProvider.GetDependency<IPolicyRepository>()
+            .GetByOrganizationIdTypeAsync(organization.Id, PolicyType.AutomaticUserConfirmation)
+            .Returns(autoConfirmPolicy);
+
+        sutProvider.GetDependency<ITwoFactorIsEnabledQuery>()
+            .TwoFactorIsEnabledAsync(Arg.Any<IEnumerable<Guid>>())
+            .Returns([(userId, true)]);
+
+        sutProvider.GetDependency<IOrganizationUserRepository>()
+            .GetManyByUserAsync(userId)
+            .Returns([organizationUser]);
+
+        // Act
+        var result = await sutProvider.Sut.ValidateAsync(request);
+
+        // Assert
+        Assert.True(result.IsValid);
+        Assert.Equal(request, result.Request);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task ValidateAsync_WithMismatchedOrganizationId_ReturnsOrganizationUserIdIsInvalidError(
+        SutProvider<AutomaticallyConfirmOrganizationUsersValidator> sutProvider,
+        Organization organization,
+        [OrganizationUser(OrganizationUserStatusType.Accepted)] OrganizationUser organizationUser,
+        Guid userId)
+    {
+        // Arrange
+        organizationUser.UserId = userId;
+        organizationUser.OrganizationId = Guid.NewGuid(); // Different from organization.Id
+
+        var request = new AutomaticallyConfirmOrganizationUserValidationRequest
+        {
+            PerformedBy = Substitute.For<IActingUser>(),
+            DefaultUserCollectionName = "test-collection",
+            OrganizationUser = organizationUser,
+            OrganizationUserId = organizationUser.Id,
+            Organization = organization,
+            OrganizationId = organization.Id,
+            Key = "test-key"
+        };
+
+        sutProvider.GetDependency<IOrganizationUserRepository>()
+            .GetManyByUserAsync(userId)
+            .Returns([organizationUser]);
+
+        // Act
+        var result = await sutProvider.Sut.ValidateAsync(request);
+
+        // Assert
+        Assert.True(result.IsError);
+        Assert.IsType<OrganizationUserIdIsInvalid>(result.AsError);
+    }
+
+    [Theory]
+    [BitAutoData(OrganizationUserStatusType.Invited)]
+    [BitAutoData(OrganizationUserStatusType.Revoked)]
+    [BitAutoData(OrganizationUserStatusType.Confirmed)]
+    public async Task ValidateAsync_WithNotAcceptedStatus_ReturnsUserIsNotAcceptedError(
+        OrganizationUserStatusType statusType,
+        SutProvider<AutomaticallyConfirmOrganizationUsersValidator> sutProvider,
+        Organization organization,
+        [OrganizationUser(OrganizationUserStatusType.Revoked)] OrganizationUser organizationUser,
+        Guid userId)
+    {
+        // Arrange
+        organizationUser.UserId = userId;
+        organizationUser.OrganizationId = organization.Id;
+        organizationUser.Status = statusType;
+
+        var request = new AutomaticallyConfirmOrganizationUserValidationRequest
+        {
+            PerformedBy = Substitute.For<IActingUser>(),
+            DefaultUserCollectionName = "test-collection",
+            OrganizationUser = organizationUser,
+            OrganizationUserId = organizationUser.Id,
+            Organization = organization,
+            OrganizationId = organization.Id,
+            Key = "test-key"
+        };
+
+        // Act
+        var result = await sutProvider.Sut.ValidateAsync(request);
+
+        // Assert
+        Assert.True(result.IsError);
+        Assert.IsType<UserIsNotAccepted>(result.AsError);
+    }
+
+    [Theory]
+    [BitAutoData(OrganizationUserType.Owner)]
+    [BitAutoData(OrganizationUserType.Custom)]
+    [BitAutoData(OrganizationUserType.Admin)]
+    public async Task ValidateAsync_WithNonUserType_ReturnsUserIsNotUserTypeError(
+        OrganizationUserType userType,
+        SutProvider<AutomaticallyConfirmOrganizationUsersValidator> sutProvider,
+        Organization organization,
+        [OrganizationUser(OrganizationUserStatusType.Accepted)] OrganizationUser organizationUser,
+        Guid userId)
+    {
+        // Arrange
+        organizationUser.UserId = userId;
+        organizationUser.OrganizationId = organization.Id;
+        organizationUser.Type = userType;
+
+        var request = new AutomaticallyConfirmOrganizationUserValidationRequest
+        {
+            PerformedBy = Substitute.For<IActingUser>(),
+            DefaultUserCollectionName = "test-collection",
+            OrganizationUser = organizationUser,
+            OrganizationUserId = organizationUser.Id,
+            Organization = organization,
+            OrganizationId = organization.Id,
+            Key = "test-key"
+        };
+
+        // Act
+        var result = await sutProvider.Sut.ValidateAsync(request);
+
+        // Assert
+        Assert.True(result.IsError);
+        Assert.IsType<UserIsNotUserType>(result.AsError);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task ValidateAsync_UserWithout2FA_And2FARequired_ReturnsError(
+        SutProvider<AutomaticallyConfirmOrganizationUsersValidator> sutProvider,
+        [Organization(useAutomaticUserConfirmation: true)] Organization organization,
+        [OrganizationUser(OrganizationUserStatusType.Accepted)] OrganizationUser organizationUser,
+        Guid userId,
+        [Policy(PolicyType.AutomaticUserConfirmation)] Policy autoConfirmPolicy)
+    {
+        // Arrange
+        organizationUser.UserId = userId;
+        organizationUser.OrganizationId = organization.Id;
+
+        var request = new AutomaticallyConfirmOrganizationUserValidationRequest
+        {
+            PerformedBy = Substitute.For<IActingUser>(),
+            DefaultUserCollectionName = "test-collection",
+            OrganizationUser = organizationUser,
+            OrganizationUserId = organizationUser.Id,
+            Organization = organization,
+            OrganizationId = organization.Id,
+            Key = "test-key"
+        };
+
+        var twoFactorPolicyDetails = new PolicyDetails
+        {
+            OrganizationId = organization.Id,
+            PolicyType = PolicyType.TwoFactorAuthentication
+        };
+
+        sutProvider.GetDependency<IPolicyRepository>()
+            .GetByOrganizationIdTypeAsync(organization.Id, PolicyType.AutomaticUserConfirmation)
+            .Returns(autoConfirmPolicy);
+
+        sutProvider.GetDependency<ITwoFactorIsEnabledQuery>()
+            .TwoFactorIsEnabledAsync(Arg.Any<IEnumerable<Guid>>())
+            .Returns([(userId, false)]);
+
+        sutProvider.GetDependency<IPolicyRequirementQuery>()
+            .GetAsync<RequireTwoFactorPolicyRequirement>(userId)
+            .Returns(new RequireTwoFactorPolicyRequirement([twoFactorPolicyDetails]));
+
+        sutProvider.GetDependency<IOrganizationUserRepository>()
+            .GetManyByUserAsync(userId)
+            .Returns([organizationUser]);
+
+        // Act
+        var result = await sutProvider.Sut.ValidateAsync(request);
+
+        // Assert
+        Assert.True(result.IsError);
+        Assert.IsType<UserDoesNotHaveTwoFactorEnabled>(result.AsError);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task ValidateAsync_UserWith2FA_ReturnsValidResult(
+        SutProvider<AutomaticallyConfirmOrganizationUsersValidator> sutProvider,
+        [Organization(useAutomaticUserConfirmation: true)] Organization organization,
+        [OrganizationUser(OrganizationUserStatusType.Accepted)] OrganizationUser organizationUser,
+        Guid userId,
+        [Policy(PolicyType.AutomaticUserConfirmation)] Policy autoConfirmPolicy)
+    {
+        // Arrange
+        organizationUser.UserId = userId;
+        organizationUser.OrganizationId = organization.Id;
+
+        var request = new AutomaticallyConfirmOrganizationUserValidationRequest
+        {
+            PerformedBy = Substitute.For<IActingUser>(),
+            DefaultUserCollectionName = "test-collection",
+            OrganizationUser = organizationUser,
+            OrganizationUserId = organizationUser.Id,
+            Organization = organization,
+            OrganizationId = organization.Id,
+            Key = "test-key"
+        };
+
+        sutProvider.GetDependency<IPolicyRepository>()
+            .GetByOrganizationIdTypeAsync(organization.Id, PolicyType.AutomaticUserConfirmation)
+            .Returns(autoConfirmPolicy);
+
+        sutProvider.GetDependency<ITwoFactorIsEnabledQuery>()
+            .TwoFactorIsEnabledAsync(Arg.Any<IEnumerable<Guid>>())
+            .Returns([(userId, true)]);
+
+        sutProvider.GetDependency<IOrganizationUserRepository>()
+            .GetManyByUserAsync(userId)
+            .Returns([organizationUser]);
+
+        // Act
+        var result = await sutProvider.Sut.ValidateAsync(request);
+
+        // Assert
+        Assert.True(result.IsValid);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task ValidateAsync_UserWithout2FA_And2FANotRequired_ReturnsValidResult(
+        SutProvider<AutomaticallyConfirmOrganizationUsersValidator> sutProvider,
+        [Organization(useAutomaticUserConfirmation: true)] Organization organization,
+        [OrganizationUser(OrganizationUserStatusType.Accepted)] OrganizationUser organizationUser,
+        Guid userId,
+        [Policy(PolicyType.AutomaticUserConfirmation)] Policy autoConfirmPolicy)
+    {
+        // Arrange
+        organizationUser.UserId = userId;
+        organizationUser.OrganizationId = organization.Id;
+
+        var request = new AutomaticallyConfirmOrganizationUserValidationRequest
+        {
+            PerformedBy = Substitute.For<IActingUser>(),
+            DefaultUserCollectionName = "test-collection",
+            OrganizationUser = organizationUser,
+            OrganizationUserId = organizationUser.Id,
+            Organization = organization,
+            OrganizationId = organization.Id,
+            Key = "test-key"
+        };
+
+        sutProvider.GetDependency<IPolicyRepository>()
+            .GetByOrganizationIdTypeAsync(organization.Id, PolicyType.AutomaticUserConfirmation)
+            .Returns(autoConfirmPolicy);
+
+        sutProvider.GetDependency<ITwoFactorIsEnabledQuery>()
+            .TwoFactorIsEnabledAsync(Arg.Any<IEnumerable<Guid>>())
+            .Returns([(userId, false)]);
+
+        sutProvider.GetDependency<IPolicyRequirementQuery>()
+            .GetAsync<RequireTwoFactorPolicyRequirement>(userId)
+            .Returns(new RequireTwoFactorPolicyRequirement([])); // No 2FA policy
+
+        sutProvider.GetDependency<IOrganizationUserRepository>()
+            .GetManyByUserAsync(userId)
+            .Returns([organizationUser]);
+
+        // Act
+        var result = await sutProvider.Sut.ValidateAsync(request);
+
+        // Assert
+        Assert.True(result.IsValid);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task ValidateAsync_UserInMultipleOrgs_WithSingleOrgPolicyOnThisOrg_ReturnsError(
+        SutProvider<AutomaticallyConfirmOrganizationUsersValidator> sutProvider,
+        [Organization(useAutomaticUserConfirmation: true)] Organization organization,
+        [OrganizationUser(OrganizationUserStatusType.Accepted)] OrganizationUser organizationUser,
+        OrganizationUser otherOrgUser,
+        Guid userId,
+        [Policy(PolicyType.AutomaticUserConfirmation)] Policy autoConfirmPolicy)
+    {
+        // Arrange
+        organizationUser.UserId = userId;
+        organizationUser.OrganizationId = organization.Id;
+
+        var request = new AutomaticallyConfirmOrganizationUserValidationRequest
+        {
+            PerformedBy = Substitute.For<IActingUser>(),
+            DefaultUserCollectionName = "test-collection",
+            OrganizationUser = organizationUser,
+            OrganizationUserId = organizationUser.Id,
+            Organization = organization,
+            OrganizationId = organization.Id,
+            Key = "test-key"
+        };
+
+        var singleOrgPolicyDetails = new PolicyDetails
+        {
+            OrganizationId = organization.Id,
+            PolicyType = PolicyType.SingleOrg
+        };
+
+        sutProvider.GetDependency<IPolicyRepository>()
+            .GetByOrganizationIdTypeAsync(organization.Id, PolicyType.AutomaticUserConfirmation)
+            .Returns(autoConfirmPolicy);
+
+        sutProvider.GetDependency<ITwoFactorIsEnabledQuery>()
+            .TwoFactorIsEnabledAsync(Arg.Any<IEnumerable<Guid>>())
+            .Returns([(userId, true)]);
+
+        sutProvider.GetDependency<IOrganizationUserRepository>()
+            .GetManyByUserAsync(userId)
+            .Returns([organizationUser, otherOrgUser]);
+
+        sutProvider.GetDependency<IPolicyRequirementQuery>()
+            .GetAsync<SingleOrganizationPolicyRequirement>(userId)
+            .Returns(new SingleOrganizationPolicyRequirement([singleOrgPolicyDetails]));
+
+        // Act
+        var result = await sutProvider.Sut.ValidateAsync(request);
+
+        // Assert
+        Assert.True(result.IsError);
+        Assert.IsType<OrganizationEnforcesSingleOrgPolicy>(result.AsError);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task ValidateAsync_UserInMultipleOrgs_WithSingleOrgPolicyOnOtherOrg_ReturnsError(
+        SutProvider<AutomaticallyConfirmOrganizationUsersValidator> sutProvider,
+        [Organization(useAutomaticUserConfirmation: true)] Organization organization,
+        [OrganizationUser(OrganizationUserStatusType.Accepted)] OrganizationUser organizationUser,
+        OrganizationUser otherOrgUser,
+        Guid userId,
+        [Policy(PolicyType.AutomaticUserConfirmation)] Policy autoConfirmPolicy)
+    {
+        // Arrange
+        organizationUser.UserId = userId;
+        organizationUser.OrganizationId = organization.Id;
+
+        var request = new AutomaticallyConfirmOrganizationUserValidationRequest
+        {
+            PerformedBy = Substitute.For<IActingUser>(),
+            DefaultUserCollectionName = "test-collection",
+            OrganizationUser = organizationUser,
+            OrganizationUserId = organizationUser.Id,
+            Organization = organization,
+            OrganizationId = organization.Id,
+            Key = "test-key"
+        };
+
+        var otherOrgId = Guid.NewGuid(); // Different org
+        var singleOrgPolicyDetails = new PolicyDetails
+        {
+            OrganizationId = otherOrgId,
+            PolicyType = PolicyType.SingleOrg,
+        };
+
+        sutProvider.GetDependency<IPolicyRepository>()
+            .GetByOrganizationIdTypeAsync(organization.Id, PolicyType.AutomaticUserConfirmation)
+            .Returns(autoConfirmPolicy);
+
+        sutProvider.GetDependency<ITwoFactorIsEnabledQuery>()
+            .TwoFactorIsEnabledAsync(Arg.Any<IEnumerable<Guid>>())
+            .Returns([(userId, true)]);
+
+        sutProvider.GetDependency<IOrganizationUserRepository>()
+            .GetManyByUserAsync(userId)
+            .Returns([organizationUser, otherOrgUser]);
+
+        sutProvider.GetDependency<IPolicyRequirementQuery>()
+            .GetAsync<SingleOrganizationPolicyRequirement>(userId)
+            .Returns(new SingleOrganizationPolicyRequirement([singleOrgPolicyDetails]));
+
+        // Act
+        var result = await sutProvider.Sut.ValidateAsync(request);
+
+        // Assert
+        Assert.True(result.IsError);
+        Assert.IsType<OtherOrganizationEnforcesSingleOrgPolicy>(result.AsError);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task ValidateAsync_UserInSingleOrg_ReturnsValidResult(
+        SutProvider<AutomaticallyConfirmOrganizationUsersValidator> sutProvider,
+        [Organization(useAutomaticUserConfirmation: true)] Organization organization,
+        [OrganizationUser(OrganizationUserStatusType.Accepted)] OrganizationUser organizationUser,
+        Guid userId,
+        [Policy(PolicyType.AutomaticUserConfirmation)] Policy autoConfirmPolicy)
+    {
+        // Arrange
+        organizationUser.UserId = userId;
+        organizationUser.OrganizationId = organization.Id;
+
+        var request = new AutomaticallyConfirmOrganizationUserValidationRequest
+        {
+            PerformedBy = Substitute.For<IActingUser>(),
+            DefaultUserCollectionName = "test-collection",
+            OrganizationUser = organizationUser,
+            OrganizationUserId = organizationUser.Id,
+            Organization = organization,
+            OrganizationId = organization.Id,
+            Key = "test-key"
+        };
+
+        sutProvider.GetDependency<IPolicyRepository>()
+            .GetByOrganizationIdTypeAsync(organization.Id, PolicyType.AutomaticUserConfirmation)
+            .Returns(autoConfirmPolicy);
+
+        sutProvider.GetDependency<ITwoFactorIsEnabledQuery>()
+            .TwoFactorIsEnabledAsync(Arg.Any<IEnumerable<Guid>>())
+            .Returns([(userId, true)]);
+
+        sutProvider.GetDependency<IOrganizationUserRepository>()
+            .GetManyByUserAsync(userId)
+            .Returns([organizationUser]); // Single org
+
+        // Act
+        var result = await sutProvider.Sut.ValidateAsync(request);
+
+        // Assert
+        Assert.True(result.IsValid);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task ValidateAsync_UserInMultipleOrgs_WithNoSingleOrgPolicy_ReturnsValidResult(
+        SutProvider<AutomaticallyConfirmOrganizationUsersValidator> sutProvider,
+        [Organization(useAutomaticUserConfirmation: true)] Organization organization,
+        [OrganizationUser(OrganizationUserStatusType.Accepted)] OrganizationUser organizationUser,
+        OrganizationUser otherOrgUser,
+        Guid userId,
+        Policy autoConfirmPolicy)
+    {
+        // Arrange
+        organizationUser.UserId = userId;
+        organizationUser.OrganizationId = organization.Id;
+        autoConfirmPolicy.Type = PolicyType.AutomaticUserConfirmation;
+        autoConfirmPolicy.Enabled = true;
+
+        var request = new AutomaticallyConfirmOrganizationUserValidationRequest
+        {
+            PerformedBy = Substitute.For<IActingUser>(),
+            DefaultUserCollectionName = "test-collection",
+            OrganizationUser = organizationUser,
+            OrganizationUserId = organizationUser.Id,
+            Organization = organization,
+            OrganizationId = organization.Id,
+            Key = "test-key"
+        };
+
+        sutProvider.GetDependency<IPolicyRepository>()
+            .GetByOrganizationIdTypeAsync(organization.Id, PolicyType.AutomaticUserConfirmation)
+            .Returns(autoConfirmPolicy);
+
+        sutProvider.GetDependency<ITwoFactorIsEnabledQuery>()
+            .TwoFactorIsEnabledAsync(Arg.Any<IEnumerable<Guid>>())
+            .Returns([(userId, true)]);
+
+        sutProvider.GetDependency<IOrganizationUserRepository>()
+            .GetManyByUserAsync(userId)
+            .Returns([organizationUser, otherOrgUser]);
+
+        sutProvider.GetDependency<IPolicyRequirementQuery>()
+            .GetAsync<SingleOrganizationPolicyRequirement>(userId)
+            .Returns(new SingleOrganizationPolicyRequirement([]));
+
+        // Act
+        var result = await sutProvider.Sut.ValidateAsync(request);
+
+        // Assert
+        Assert.True(result.IsValid);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task ValidateAsync_WithAutoConfirmPolicyDisabled_ReturnsAutoConfirmPolicyNotEnabledError(
+        SutProvider<AutomaticallyConfirmOrganizationUsersValidator> sutProvider,
+        Organization organization,
+        [OrganizationUser(OrganizationUserStatusType.Accepted)] OrganizationUser organizationUser,
+        Guid userId)
+    {
+        // Arrange
+        organizationUser.UserId = userId;
+        organizationUser.OrganizationId = organization.Id;
+
+        var request = new AutomaticallyConfirmOrganizationUserValidationRequest
+        {
+            PerformedBy = Substitute.For<IActingUser>(),
+            DefaultUserCollectionName = "test-collection",
+            OrganizationUser = organizationUser,
+            OrganizationUserId = organizationUser.Id,
+            Organization = organization,
+            OrganizationId = organization.Id,
+            Key = "test-key"
+        };
+
+        sutProvider.GetDependency<IPolicyRepository>()
+            .GetByOrganizationIdTypeAsync(organization.Id, PolicyType.AutomaticUserConfirmation)
+            .Returns((Policy)null);
+
+        sutProvider.GetDependency<ITwoFactorIsEnabledQuery>()
+            .TwoFactorIsEnabledAsync(Arg.Any<IEnumerable<Guid>>())
+            .Returns([(userId, true)]);
+
+        sutProvider.GetDependency<IOrganizationUserRepository>()
+            .GetManyByUserAsync(userId)
+            .Returns([organizationUser]);
+
+        // Act
+        var result = await sutProvider.Sut.ValidateAsync(request);
+
+        // Assert
+        Assert.True(result.IsError);
+        Assert.IsType<AutomaticallyConfirmUsersPolicyIsNotEnabled>(result.AsError);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task ValidateAsync_WithOrganizationUseAutomaticUserConfirmationDisabled_ReturnsAutoConfirmPolicyNotEnabledError(
+        SutProvider<AutomaticallyConfirmOrganizationUsersValidator> sutProvider,
+        [Organization(useAutomaticUserConfirmation: false)] Organization organization,
+        [OrganizationUser(OrganizationUserStatusType.Accepted)] OrganizationUser organizationUser,
+        Guid userId,
+        [Policy(PolicyType.AutomaticUserConfirmation)] Policy autoConfirmPolicy)
+    {
+        // Arrange
+        organizationUser.UserId = userId;
+        organizationUser.OrganizationId = organization.Id;
+
+        var request = new AutomaticallyConfirmOrganizationUserValidationRequest
+        {
+            PerformedBy = Substitute.For<IActingUser>(),
+            DefaultUserCollectionName = "test-collection",
+            OrganizationUser = organizationUser,
+            OrganizationUserId = organizationUser.Id,
+            Organization = organization,
+            OrganizationId = organization.Id,
+            Key = "test-key"
+        };
+
+        sutProvider.GetDependency<IPolicyRepository>()
+            .GetByOrganizationIdTypeAsync(organization.Id, PolicyType.AutomaticUserConfirmation)
+            .Returns(autoConfirmPolicy);
+
+        sutProvider.GetDependency<ITwoFactorIsEnabledQuery>()
+            .TwoFactorIsEnabledAsync(Arg.Any<IEnumerable<Guid>>())
+            .Returns([(userId, true)]);
+
+        sutProvider.GetDependency<IOrganizationUserRepository>()
+            .GetManyByUserAsync(userId)
+            .Returns([organizationUser]);
+
+        // Act
+        var result = await sutProvider.Sut.ValidateAsync(request);
+
+        // Assert
+        Assert.True(result.IsError);
+        Assert.IsType<AutomaticallyConfirmUsersPolicyIsNotEnabled>(result.AsError);
+    }
+}
--- a/test/Core.Test/AdminConsole/OrganizationFeatures/OrganizationUsers/AutoConfirmUsers/AutomaticallyConfirmUsersCommandTests.cs
+++ b/test/Core.Test/AdminConsole/OrganizationFeatures/OrganizationUsers/AutoConfirmUsers/AutomaticallyConfirmUsersCommandTests.cs
@@ -0,0 +1,730 @@
+using Bit.Core.AdminConsole.Entities;
+using Bit.Core.AdminConsole.Models.Data;
+using Bit.Core.AdminConsole.Models.Data.Organizations.Policies;
+using Bit.Core.AdminConsole.Models.Data.OrganizationUsers;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.AutoConfirmUser;
+using Bit.Core.AdminConsole.OrganizationFeatures.Policies;
+using Bit.Core.AdminConsole.OrganizationFeatures.Policies.PolicyRequirements;
+using Bit.Core.AdminConsole.Utilities.v2;
+using Bit.Core.AdminConsole.Utilities.v2.Validation;
+using Bit.Core.Entities;
+using Bit.Core.Enums;
+using Bit.Core.Models.Data;
+using Bit.Core.Platform.Push;
+using Bit.Core.Repositories;
+using Bit.Core.Services;
+using Bit.Core.Test.AutoFixture.OrganizationUserFixtures;
+using Bit.Test.Common.AutoFixture;
+using Bit.Test.Common.AutoFixture.Attributes;
+using Microsoft.Extensions.Logging;
+using NSubstitute;
+using NSubstitute.ExceptionExtensions;
+using Xunit;
+
+namespace Bit.Core.Test.AdminConsole.OrganizationFeatures.OrganizationUsers.AutoConfirmUsers;
+
+[SutProviderCustomize]
+public class AutomaticallyConfirmUsersCommandTests
+{
+    [Theory]
+    [BitAutoData]
+    public async Task AutomaticallyConfirmOrganizationUserAsync_WithValidRequest_ConfirmsUserSuccessfully(
+        SutProvider<AutomaticallyConfirmOrganizationUserCommand> sutProvider,
+        Organization organization,
+        [OrganizationUser(OrganizationUserStatusType.Accepted)] OrganizationUser organizationUser,
+        User user,
+        Guid performingUserId,
+        string key,
+        string defaultCollectionName)
+    {
+        // Arrange
+        organizationUser.UserId = user.Id;
+        organizationUser.OrganizationId = organization.Id;
+
+        var request = new AutomaticallyConfirmOrganizationUserRequest
+        {
+            OrganizationUserId = organizationUser.Id,
+            OrganizationId = organization.Id,
+            Key = key,
+            DefaultUserCollectionName = defaultCollectionName,
+            PerformedBy = new StandardUser(performingUserId, true)
+        };
+
+        SetupRepositoryMocks(sutProvider, organizationUser, organization, user);
+        SetupValidatorMock(sutProvider, request, organizationUser, organization, true);
+
+        sutProvider.GetDependency<IOrganizationUserRepository>()
+            .ConfirmOrganizationUserAsync(Arg.Is<AcceptedOrganizationUserToConfirm>(o =>
+                o.OrganizationUserId == organizationUser.Id && o.Key == request.Key))
+            .Returns(true);
+
+        // Act
+        var result = await sutProvider.Sut.AutomaticallyConfirmOrganizationUserAsync(request);
+
+        // Assert
+        Assert.True(result.IsSuccess);
+
+        await sutProvider.GetDependency<IOrganizationUserRepository>()
+            .Received(1)
+            .ConfirmOrganizationUserAsync(Arg.Is<AcceptedOrganizationUserToConfirm>(o =>
+                o.OrganizationUserId == organizationUser.Id && o.Key == request.Key));
+
+        await AssertSuccessfulOperationsAsync(sutProvider, organizationUser, organization, user, key);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task AutomaticallyConfirmOrganizationUserAsync_WithInvalidUserOrgId_ReturnsOrganizationUserIdIsInvalidError(
+        SutProvider<AutomaticallyConfirmOrganizationUserCommand> sutProvider,
+        Organization organization,
+        [OrganizationUser(OrganizationUserStatusType.Accepted)] OrganizationUser organizationUser,
+        User user,
+        Guid performingUserId,
+        string key,
+        string defaultCollectionName)
+    {
+        // Arrange
+        organizationUser.UserId = user.Id;
+        organizationUser.OrganizationId = Guid.NewGuid(); // User belongs to another organization
+        var request = new AutomaticallyConfirmOrganizationUserRequest
+        {
+            OrganizationUserId = organizationUser.Id,
+            OrganizationId = organization.Id,
+            Key = key,
+            DefaultUserCollectionName = defaultCollectionName,
+            PerformedBy = new StandardUser(performingUserId, true)
+        };
+
+        SetupRepositoryMocks(sutProvider, organizationUser, organization, user);
+        SetupValidatorMock(sutProvider, request, organizationUser, organization, false, new OrganizationUserIdIsInvalid());
+
+        // Act
+        var result = await sutProvider.Sut.AutomaticallyConfirmOrganizationUserAsync(request);
+
+        // Assert
+        Assert.True(result.IsError);
+        Assert.IsType<OrganizationUserIdIsInvalid>(result.AsError);
+
+        await sutProvider.GetDependency<IOrganizationUserRepository>()
+            .DidNotReceive()
+            .ConfirmOrganizationUserAsync(Arg.Any<AcceptedOrganizationUserToConfirm>());
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task AutomaticallyConfirmOrganizationUserAsync_WhenAlreadyConfirmed_ReturnsNoneSuccess(
+        SutProvider<AutomaticallyConfirmOrganizationUserCommand> sutProvider,
+        Organization organization,
+        [OrganizationUser(OrganizationUserStatusType.Accepted)] OrganizationUser organizationUser,
+        User user,
+        Guid performingUserId,
+        string key,
+        string defaultCollectionName)
+    {
+        // Arrange
+        organizationUser.UserId = user.Id;
+        organizationUser.OrganizationId = organization.Id;
+        var request = new AutomaticallyConfirmOrganizationUserRequest
+        {
+            OrganizationUserId = organizationUser.Id,
+            OrganizationId = organization.Id,
+            Key = key,
+            DefaultUserCollectionName = defaultCollectionName,
+            PerformedBy = new StandardUser(performingUserId, true)
+        };
+
+        SetupRepositoryMocks(sutProvider, organizationUser, organization, user);
+        SetupValidatorMock(sutProvider, request, organizationUser, organization, true);
+
+        // Return false to indicate the user is already confirmed
+        sutProvider.GetDependency<IOrganizationUserRepository>()
+            .ConfirmOrganizationUserAsync(Arg.Is<AcceptedOrganizationUserToConfirm>(x =>
+                x.OrganizationUserId == organizationUser.Id && x.Key == request.Key))
+            .Returns(false);
+
+        // Act
+        var result = await sutProvider.Sut.AutomaticallyConfirmOrganizationUserAsync(request);
+
+        // Assert
+        Assert.True(result.IsSuccess);
+
+        await sutProvider.GetDependency<IOrganizationUserRepository>()
+            .Received(1)
+            .ConfirmOrganizationUserAsync(Arg.Is<AcceptedOrganizationUserToConfirm>(x =>
+                x.OrganizationUserId == organizationUser.Id && x.Key == request.Key));
+
+        // Verify no side effects occurred
+        await sutProvider.GetDependency<IEventService>()
+            .DidNotReceive()
+            .LogOrganizationUserEventAsync(Arg.Any<OrganizationUser>(), Arg.Any<EventType>(), Arg.Any<DateTime?>());
+
+        await sutProvider.GetDependency<IPushNotificationService>()
+            .DidNotReceive()
+            .PushSyncOrgKeysAsync(Arg.Any<Guid>());
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task AutomaticallyConfirmOrganizationUserAsync_WithDefaultCollectionEnabled_CreatesDefaultCollection(
+        SutProvider<AutomaticallyConfirmOrganizationUserCommand> sutProvider,
+        Organization organization,
+        [OrganizationUser(OrganizationUserStatusType.Accepted)] OrganizationUser organizationUser,
+        User user,
+        Guid performingUserId,
+        string key,
+        string defaultCollectionName)
+    {
+        // Arrange
+        organizationUser.UserId = user.Id;
+        organizationUser.OrganizationId = organization.Id;
+        var request = new AutomaticallyConfirmOrganizationUserRequest
+        {
+            OrganizationUserId = organizationUser.Id,
+            OrganizationId = organization.Id,
+            Key = key,
+            DefaultUserCollectionName = defaultCollectionName, // Non-empty to trigger creation
+            PerformedBy = new StandardUser(performingUserId, true)
+        };
+
+        SetupRepositoryMocks(sutProvider, organizationUser, organization, user);
+        SetupValidatorMock(sutProvider, request, organizationUser, organization, true);
+        SetupPolicyRequirementMock(sutProvider, user.Id, organization.Id, true); // Policy requires collection
+
+        sutProvider.GetDependency<IOrganizationUserRepository>().ConfirmOrganizationUserAsync(
+                Arg.Is<AcceptedOrganizationUserToConfirm>(o =>
+                    o.OrganizationUserId == organizationUser.Id && o.Key == request.Key))
+            .Returns(true);
+
+        // Act
+        var result = await sutProvider.Sut.AutomaticallyConfirmOrganizationUserAsync(request);
+
+        // Assert
+        Assert.True(result.IsSuccess);
+
+        await sutProvider.GetDependency<ICollectionRepository>()
+            .Received(1)
+            .CreateAsync(
+                Arg.Is<Collection>(c =>
+                    c.OrganizationId == organization.Id &&
+                    c.Name == defaultCollectionName &&
+                    c.Type == CollectionType.DefaultUserCollection),
+                Arg.Is<IEnumerable<CollectionAccessSelection>>(groups => groups == null),
+                Arg.Is<IEnumerable<CollectionAccessSelection>>(access =>
+                    access.FirstOrDefault(x => x.Id == organizationUser.Id && x.Manage) != null));
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task AutomaticallyConfirmOrganizationUserAsync_WithDefaultCollectionDisabled_DoesNotCreateCollection(
+        SutProvider<AutomaticallyConfirmOrganizationUserCommand> sutProvider,
+        Organization organization,
+        [OrganizationUser(OrganizationUserStatusType.Accepted)] OrganizationUser organizationUser,
+        User user,
+        Guid performingUserId,
+        string key)
+    {
+        // Arrange
+        organizationUser.UserId = user.Id;
+        organizationUser.OrganizationId = organization.Id;
+        var request = new AutomaticallyConfirmOrganizationUserRequest
+        {
+            OrganizationUserId = organizationUser.Id,
+            OrganizationId = organization.Id,
+            Key = key,
+            DefaultUserCollectionName = string.Empty, // Empty, so the collection won't be created
+            PerformedBy = new StandardUser(performingUserId, true)
+        };
+
+        SetupRepositoryMocks(sutProvider, organizationUser, organization, user);
+        SetupValidatorMock(sutProvider, request, organizationUser, organization, true);
+        SetupPolicyRequirementMock(sutProvider, user.Id, organization.Id, false); // Policy doesn't require
+
+        sutProvider.GetDependency<IOrganizationUserRepository>()
+            .ConfirmOrganizationUserAsync(Arg.Is<AcceptedOrganizationUserToConfirm>(o =>
+                o.OrganizationUserId == organizationUser.Id && o.Key == request.Key))
+            .Returns(true);
+
+        // Act
+        var result = await sutProvider.Sut.AutomaticallyConfirmOrganizationUserAsync(request);
+
+        // Assert
+        Assert.True(result.IsSuccess);
+
+        await sutProvider.GetDependency<ICollectionRepository>()
+            .DidNotReceive()
+            .CreateAsync(Arg.Any<Collection>(),
+                Arg.Any<IEnumerable<CollectionAccessSelection>>(),
+                Arg.Any<IEnumerable<CollectionAccessSelection>>());
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task AutomaticallyConfirmOrganizationUserAsync_WhenCreateDefaultCollectionFails_LogsErrorButReturnsSuccess(
+        SutProvider<AutomaticallyConfirmOrganizationUserCommand> sutProvider,
+        Organization organization,
+        [OrganizationUser(OrganizationUserStatusType.Accepted)] OrganizationUser organizationUser,
+        User user,
+        Guid performingUserId,
+        string key,
+        string defaultCollectionName)
+    {
+        // Arrange
+        organizationUser.UserId = user.Id;
+        organizationUser.OrganizationId = organization.Id;
+        var request = new AutomaticallyConfirmOrganizationUserRequest
+        {
+            OrganizationUserId = organizationUser.Id,
+            OrganizationId = organization.Id,
+            Key = key,
+            DefaultUserCollectionName = defaultCollectionName, // Non-empty to trigger creation
+            PerformedBy = new StandardUser(performingUserId, true)
+        };
+
+        SetupRepositoryMocks(sutProvider, organizationUser, organization, user);
+        SetupValidatorMock(sutProvider, request, organizationUser, organization, true);
+        SetupPolicyRequirementMock(sutProvider, user.Id, organization.Id, true);
+
+        sutProvider.GetDependency<IOrganizationUserRepository>()
+            .ConfirmOrganizationUserAsync(Arg.Is<AcceptedOrganizationUserToConfirm>(o =>
+                o.OrganizationUserId == organizationUser.Id && o.Key == request.Key)).Returns(true);
+
+        var collectionException = new Exception("Collection creation failed");
+        sutProvider.GetDependency<ICollectionRepository>()
+            .CreateAsync(Arg.Any<Collection>(),
+                Arg.Any<IEnumerable<CollectionAccessSelection>>(),
+                Arg.Any<IEnumerable<CollectionAccessSelection>>())
+            .ThrowsAsync(collectionException);
+
+        // Act
+        var result = await sutProvider.Sut.AutomaticallyConfirmOrganizationUserAsync(request);
+
+        // Assert - side effects are fire-and-forget, so command returns success even if collection creation fails
+        Assert.True(result.IsSuccess);
+
+        sutProvider.GetDependency<ILogger<AutomaticallyConfirmOrganizationUserCommand>>()
+            .Received(1)
+            .Log(
+                LogLevel.Error,
+                Arg.Any<EventId>(),
+                Arg.Is<object>(o => o.ToString()!.Contains("Failed to create default collection for user")),
+                collectionException,
+                Arg.Any<Func<object, Exception?, string>>());
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task AutomaticallyConfirmOrganizationUserAsync_WhenEventLogFails_LogsErrorButReturnsSuccess(
+        SutProvider<AutomaticallyConfirmOrganizationUserCommand> sutProvider,
+        Organization organization,
+        [OrganizationUser(OrganizationUserStatusType.Accepted)] OrganizationUser organizationUser,
+        User user,
+        Guid performingUserId,
+        string key,
+        string defaultCollectionName)
+    {
+        // Arrange
+        organizationUser.UserId = user.Id;
+        organizationUser.OrganizationId = organization.Id;
+        var request = new AutomaticallyConfirmOrganizationUserRequest
+        {
+            OrganizationUserId = organizationUser.Id,
+            OrganizationId = organization.Id,
+            Key = key,
+            DefaultUserCollectionName = defaultCollectionName,
+            PerformedBy = new StandardUser(performingUserId, true)
+        };
+
+        SetupRepositoryMocks(sutProvider, organizationUser, organization, user);
+        SetupValidatorMock(sutProvider, request, organizationUser, organization, true);
+
+        sutProvider.GetDependency<IOrganizationUserRepository>()
+            .ConfirmOrganizationUserAsync(Arg.Is<AcceptedOrganizationUserToConfirm>(o =>
+                o.OrganizationUserId == organizationUser.Id && o.Key == request.Key))
+            .Returns(true);
+
+        var eventException = new Exception("Event logging failed");
+        sutProvider.GetDependency<IEventService>()
+            .LogOrganizationUserEventAsync(Arg.Any<OrganizationUser>(),
+                EventType.OrganizationUser_AutomaticallyConfirmed,
+                Arg.Any<DateTime?>())
+            .ThrowsAsync(eventException);
+
+        // Act
+        var result = await sutProvider.Sut.AutomaticallyConfirmOrganizationUserAsync(request);
+
+        // Assert - side effects are fire-and-forget, so command returns success even if event log fails
+        Assert.True(result.IsSuccess);
+
+        sutProvider.GetDependency<ILogger<AutomaticallyConfirmOrganizationUserCommand>>()
+            .Received(1)
+            .Log(
+                LogLevel.Error,
+                Arg.Any<EventId>(),
+                Arg.Is<object>(o => o.ToString()!.Contains("Failed to log OrganizationUser_AutomaticallyConfirmed event")),
+                eventException,
+                Arg.Any<Func<object, Exception?, string>>());
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task AutomaticallyConfirmOrganizationUserAsync_WhenSendEmailFails_LogsErrorButReturnsSuccess(
+        SutProvider<AutomaticallyConfirmOrganizationUserCommand> sutProvider,
+        Organization organization,
+        [OrganizationUser(OrganizationUserStatusType.Accepted)] OrganizationUser organizationUser,
+        User user,
+        Guid performingUserId,
+        string key,
+        string defaultCollectionName)
+    {
+        // Arrange
+        organizationUser.UserId = user.Id;
+        organizationUser.OrganizationId = organization.Id;
+        var request = new AutomaticallyConfirmOrganizationUserRequest
+        {
+            OrganizationUserId = organizationUser.Id,
+            OrganizationId = organization.Id,
+            Key = key,
+            DefaultUserCollectionName = defaultCollectionName,
+            PerformedBy = new StandardUser(performingUserId, true)
+        };
+
+        SetupRepositoryMocks(sutProvider, organizationUser, organization, user);
+        SetupValidatorMock(sutProvider, request, organizationUser, organization, true);
+
+        sutProvider.GetDependency<IOrganizationUserRepository>()
+            .ConfirmOrganizationUserAsync(Arg.Is<AcceptedOrganizationUserToConfirm>(o =>
+                o.OrganizationUserId == organizationUser.Id && o.Key == request.Key))
+            .Returns(true);
+
+        var emailException = new Exception("Email sending failed");
+        sutProvider.GetDependency<IMailService>()
+            .SendOrganizationConfirmedEmailAsync(organization.Name, user.Email, organizationUser.AccessSecretsManager)
+            .ThrowsAsync(emailException);
+
+        // Act
+        var result = await sutProvider.Sut.AutomaticallyConfirmOrganizationUserAsync(request);
+
+        // Assert - side effects are fire-and-forget, so command returns success even if email fails
+        Assert.True(result.IsSuccess);
+
+        sutProvider.GetDependency<ILogger<AutomaticallyConfirmOrganizationUserCommand>>()
+            .Received(1)
+            .Log(
+                LogLevel.Error,
+                Arg.Any<EventId>(),
+                Arg.Is<object>(o => o.ToString()!.Contains("Failed to send OrganizationUserConfirmed")),
+                emailException,
+                Arg.Any<Func<object, Exception?, string>>());
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task AutomaticallyConfirmOrganizationUserAsync_WhenUserNotFoundForEmail_LogsErrorButReturnsSuccess(
+        SutProvider<AutomaticallyConfirmOrganizationUserCommand> sutProvider,
+        Organization organization,
+        [OrganizationUser(OrganizationUserStatusType.Accepted)] OrganizationUser organizationUser,
+        User user,
+        Guid performingUserId,
+        string key,
+        string defaultCollectionName)
+    {
+        // Arrange
+        organizationUser.UserId = user.Id;
+        organizationUser.OrganizationId = organization.Id;
+        var request = new AutomaticallyConfirmOrganizationUserRequest
+        {
+            OrganizationUserId = organizationUser.Id,
+            OrganizationId = organization.Id,
+            Key = key,
+            DefaultUserCollectionName = defaultCollectionName,
+            PerformedBy = new StandardUser(performingUserId, true)
+        };
+
+        SetupRepositoryMocks(sutProvider, organizationUser, organization, user);
+        SetupValidatorMock(sutProvider, request, organizationUser, organization, true);
+
+        sutProvider.GetDependency<IOrganizationUserRepository>()
+            .ConfirmOrganizationUserAsync(Arg.Is<AcceptedOrganizationUserToConfirm>(o =>
+                o.OrganizationUserId == organizationUser.Id && o.Key == request.Key))
+            .Returns(true);
+
+        // Return null when retrieving user for email
+        sutProvider.GetDependency<IUserRepository>()
+            .GetByIdAsync(user.Id)
+            .Returns((User)null!);
+
+        // Act
+        var result = await sutProvider.Sut.AutomaticallyConfirmOrganizationUserAsync(request);
+
+        // Assert - side effects are fire-and-forget, so command returns success even if user not found for email
+        Assert.True(result.IsSuccess);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task AutomaticallyConfirmOrganizationUserAsync_WhenDeleteDeviceRegistrationFails_LogsErrorButReturnsSuccess(
+        SutProvider<AutomaticallyConfirmOrganizationUserCommand> sutProvider,
+        Organization organization,
+        [OrganizationUser(OrganizationUserStatusType.Accepted)] OrganizationUser organizationUser,
+        User user,
+        Guid performingUserId,
+        string key,
+        string defaultCollectionName,
+        Device device)
+    {
+        // Arrange
+        organizationUser.UserId = user.Id;
+        organizationUser.OrganizationId = organization.Id;
+        device.UserId = user.Id;
+        device.PushToken = "test-push-token";
+        var request = new AutomaticallyConfirmOrganizationUserRequest
+        {
+            OrganizationUserId = organizationUser.Id,
+            OrganizationId = organization.Id,
+            Key = key,
+            DefaultUserCollectionName = defaultCollectionName,
+            PerformedBy = new StandardUser(performingUserId, true)
+        };
+
+        SetupRepositoryMocks(sutProvider, organizationUser, organization, user);
+        SetupValidatorMock(sutProvider, request, organizationUser, organization, true);
+
+        sutProvider.GetDependency<IOrganizationUserRepository>()
+            .ConfirmOrganizationUserAsync(Arg.Is<AcceptedOrganizationUserToConfirm>(o =>
+                o.OrganizationUserId == organizationUser.Id && o.Key == request.Key))
+            .Returns(true);
+
+        sutProvider.GetDependency<IDeviceRepository>()
+            .GetManyByUserIdAsync(user.Id)
+            .Returns(new List<Device> { device });
+
+        var deviceException = new Exception("Device registration deletion failed");
+        sutProvider.GetDependency<IPushRegistrationService>()
+            .DeleteUserRegistrationOrganizationAsync(Arg.Any<IEnumerable<string>>(), organization.Id.ToString())
+            .ThrowsAsync(deviceException);
+
+        // Act
+        var result = await sutProvider.Sut.AutomaticallyConfirmOrganizationUserAsync(request);
+
+        // Assert - side effects are fire-and-forget, so command returns success even if device registration deletion fails
+        Assert.True(result.IsSuccess);
+
+        sutProvider.GetDependency<ILogger<AutomaticallyConfirmOrganizationUserCommand>>()
+            .Received(1)
+            .Log(
+                LogLevel.Error,
+                Arg.Any<EventId>(),
+                Arg.Is<object>(o => o.ToString()!.Contains("Failed to delete device registration")),
+                deviceException,
+                Arg.Any<Func<object, Exception?, string>>());
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task AutomaticallyConfirmOrganizationUserAsync_WhenPushSyncOrgKeysFails_LogsErrorButReturnsSuccess(
+        SutProvider<AutomaticallyConfirmOrganizationUserCommand> sutProvider,
+        Organization organization,
+        [OrganizationUser(OrganizationUserStatusType.Accepted)] OrganizationUser organizationUser,
+        User user,
+        Guid performingUserId,
+        string key,
+        string defaultCollectionName)
+    {
+        // Arrange
+        organizationUser.UserId = user.Id;
+        organizationUser.OrganizationId = organization.Id;
+        var request = new AutomaticallyConfirmOrganizationUserRequest
+        {
+            OrganizationUserId = organizationUser.Id,
+            OrganizationId = organization.Id,
+            Key = key,
+            DefaultUserCollectionName = defaultCollectionName,
+            PerformedBy = new StandardUser(performingUserId, true)
+        };
+
+        SetupRepositoryMocks(sutProvider, organizationUser, organization, user);
+        SetupValidatorMock(sutProvider, request, organizationUser, organization, true);
+
+        sutProvider.GetDependency<IOrganizationUserRepository>()
+            .ConfirmOrganizationUserAsync(Arg.Is<AcceptedOrganizationUserToConfirm>(o =>
+                o.OrganizationUserId == organizationUser.Id && o.Key == request.Key))
+            .Returns(true);
+
+        var pushException = new Exception("Push sync failed");
+        sutProvider.GetDependency<IPushNotificationService>()
+            .PushSyncOrgKeysAsync(user.Id)
+            .ThrowsAsync(pushException);
+
+        // Act
+        var result = await sutProvider.Sut.AutomaticallyConfirmOrganizationUserAsync(request);
+
+        // Assert - side effects are fire-and-forget, so command returns success even if push sync fails
+        Assert.True(result.IsSuccess);
+
+        sutProvider.GetDependency<ILogger<AutomaticallyConfirmOrganizationUserCommand>>()
+            .Received(1)
+            .Log(
+                LogLevel.Error,
+                Arg.Any<EventId>(),
+                Arg.Is<object>(o => o.ToString()!.Contains("Failed to push organization keys")),
+                pushException,
+                Arg.Any<Func<object, Exception?, string>>());
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task AutomaticallyConfirmOrganizationUserAsync_WithDevicesWithoutPushToken_FiltersCorrectly(
+        SutProvider<AutomaticallyConfirmOrganizationUserCommand> sutProvider,
+        Organization organization,
+        [OrganizationUser(OrganizationUserStatusType.Accepted)] OrganizationUser organizationUser,
+        User user,
+        Guid performingUserId,
+        string key,
+        string defaultCollectionName,
+        Device deviceWithToken,
+        Device deviceWithoutToken)
+    {
+        // Arrange
+        organizationUser.UserId = user.Id;
+        organizationUser.OrganizationId = organization.Id;
+        deviceWithToken.UserId = user.Id;
+        deviceWithToken.PushToken = "test-token";
+        deviceWithoutToken.UserId = user.Id;
+        deviceWithoutToken.PushToken = null;
+        var request = new AutomaticallyConfirmOrganizationUserRequest
+        {
+            OrganizationUserId = organizationUser.Id,
+            OrganizationId = organization.Id,
+            Key = key,
+            DefaultUserCollectionName = defaultCollectionName,
+            PerformedBy = new StandardUser(performingUserId, true)
+        };
+
+        SetupRepositoryMocks(sutProvider, organizationUser, organization, user);
+        SetupValidatorMock(sutProvider, request, organizationUser, organization, true);
+
+        sutProvider.GetDependency<IOrganizationUserRepository>()
+            .ConfirmOrganizationUserAsync(Arg.Is<AcceptedOrganizationUserToConfirm>(o =>
+                o.OrganizationUserId == organizationUser.Id && o.Key == request.Key))
+            .Returns(true);
+
+        sutProvider.GetDependency<IDeviceRepository>()
+            .GetManyByUserIdAsync(user.Id)
+            .Returns(new List<Device> { deviceWithToken, deviceWithoutToken });
+
+        // Act
+        var result = await sutProvider.Sut.AutomaticallyConfirmOrganizationUserAsync(request);
+
+        // Assert
+        Assert.True(result.IsSuccess);
+
+        await sutProvider.GetDependency<IPushRegistrationService>()
+            .Received(1)
+            .DeleteUserRegistrationOrganizationAsync(
+                Arg.Is<IEnumerable<string>>(devices =>
+                    devices.Count(d => deviceWithToken.Id.ToString() == d) == 1),
+                organization.Id.ToString());
+    }
+
+    private static void SetupRepositoryMocks(
+        SutProvider<AutomaticallyConfirmOrganizationUserCommand> sutProvider,
+        OrganizationUser organizationUser,
+        Organization organization,
+        User user)
+    {
+        sutProvider.GetDependency<IOrganizationUserRepository>()
+            .GetByIdAsync(organizationUser.Id)
+            .Returns(organizationUser);
+
+        sutProvider.GetDependency<IOrganizationRepository>()
+            .GetByIdAsync(organization.Id)
+            .Returns(organization);
+
+        sutProvider.GetDependency<IUserRepository>()
+            .GetByIdAsync(user.Id)
+            .Returns(user);
+
+        sutProvider.GetDependency<IDeviceRepository>()
+            .GetManyByUserIdAsync(user.Id)
+            .Returns(new List<Device>());
+    }
+
+    private static void SetupValidatorMock(
+        SutProvider<AutomaticallyConfirmOrganizationUserCommand> sutProvider,
+        AutomaticallyConfirmOrganizationUserRequest originalRequest,
+        OrganizationUser organizationUser,
+        Organization organization,
+        bool isValid,
+        Error? error = null)
+    {
+        var validationRequest = new AutomaticallyConfirmOrganizationUserValidationRequest
+        {
+            PerformedBy = originalRequest.PerformedBy,
+            DefaultUserCollectionName = originalRequest.DefaultUserCollectionName,
+            OrganizationUserId = originalRequest.OrganizationUserId,
+            OrganizationUser = organizationUser,
+            OrganizationId = originalRequest.OrganizationId,
+            Organization = organization,
+            Key = originalRequest.Key
+        };
+
+        var validationResult = isValid
+            ? ValidationResultHelpers.Valid(validationRequest)
+            : ValidationResultHelpers.Invalid(validationRequest, error ?? new UserIsNotAccepted());
+
+        sutProvider.GetDependency<IAutomaticallyConfirmOrganizationUsersValidator>()
+            .ValidateAsync(Arg.Any<AutomaticallyConfirmOrganizationUserValidationRequest>())
+            .Returns(validationResult);
+    }
+
+    private static void SetupPolicyRequirementMock(
+        SutProvider<AutomaticallyConfirmOrganizationUserCommand> sutProvider,
+        Guid userId,
+        Guid organizationId,
+        bool requiresDefaultCollection)
+    {
+        var policyDetails = requiresDefaultCollection
+            ? new List<PolicyDetails> { new() { OrganizationId = organizationId } }
+            : new List<PolicyDetails>();
+
+        var policyRequirement = new OrganizationDataOwnershipPolicyRequirement(
+            requiresDefaultCollection ? OrganizationDataOwnershipState.Enabled : OrganizationDataOwnershipState.Disabled,
+            policyDetails);
+
+        sutProvider.GetDependency<IPolicyRequirementQuery>()
+            .GetAsync<OrganizationDataOwnershipPolicyRequirement>(userId)
+            .Returns(policyRequirement);
+    }
+
+    private static async Task AssertSuccessfulOperationsAsync(
+        SutProvider<AutomaticallyConfirmOrganizationUserCommand> sutProvider,
+        OrganizationUser organizationUser,
+        Organization organization,
+        User user,
+        string key)
+    {
+        await sutProvider.GetDependency<IEventService>()
+            .Received(1)
+            .LogOrganizationUserEventAsync(
+                Arg.Is<OrganizationUser>(x => x.Id == organizationUser.Id),
+                EventType.OrganizationUser_AutomaticallyConfirmed,
+                Arg.Any<DateTime?>());
+
+        await sutProvider.GetDependency<IMailService>()
+            .Received(1)
+            .SendOrganizationConfirmedEmailAsync(
+                organization.Name,
+                user.Email,
+                organizationUser.AccessSecretsManager);
+
+        await sutProvider.GetDependency<IPushNotificationService>()
+            .Received(1)
+            .PushSyncOrgKeysAsync(user.Id);
+
+        await sutProvider.GetDependency<IPushRegistrationService>()
+            .Received(1)
+            .DeleteUserRegistrationOrganizationAsync(
+                Arg.Any<IEnumerable<string>>(),
+                organization.Id.ToString());
+    }
+}
--- a/test/Core.Test/AdminConsole/OrganizationFeatures/OrganizationUsers/DeleteClaimedAccountvNext/DeleteClaimedOrganizationUserAccountCommandTests.cs
+++ b/test/Core.Test/AdminConsole/OrganizationFeatures/OrganizationUsers/DeleteClaimedAccountvNext/DeleteClaimedOrganizationUserAccountCommandTests.cs
@@ -1,5 +1,7 @@
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.DeleteClaimedAccount;
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Interfaces;
+using Bit.Core.AdminConsole.Utilities.v2;
+using Bit.Core.AdminConsole.Utilities.v2.Validation;
 using Bit.Core.Entities;
 using Bit.Core.Enums;
 using Bit.Core.Exceptions;
--- a/test/Infrastructure.IntegrationTest/AdminConsole/Repositories/OrganizationUserRepository/OrganizationUserRepositoryTests.cs
+++ b/test/Infrastructure.IntegrationTest/AdminConsole/Repositories/OrganizationUserRepository/OrganizationUserRepositoryTests.cs
@@ -1,4 +1,5 @@
 using Bit.Core.AdminConsole.Entities;
+using Bit.Core.AdminConsole.Models.Data.OrganizationUsers;
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Models;
 using Bit.Core.AdminConsole.Repositories;
 using Bit.Core.Auth.Entities;
@@ -1487,8 +1488,15 @@ public class OrganizationUserRepositoryTests
        const string key = "test-key";
        orgUser.Key = key;

+        var acceptedOrganizationUser = new AcceptedOrganizationUserToConfirm
+        {
+            OrganizationUserId = orgUser.Id,
+            UserId = user.Id,
+            Key = key
+        };
+
        // Act
-        var result = await organizationUserRepository.ConfirmOrganizationUserAsync(orgUser);
+        var result = await organizationUserRepository.ConfirmOrganizationUserAsync(acceptedOrganizationUser);

        // Assert
        Assert.True(result);
@@ -1502,27 +1510,6 @@ public class OrganizationUserRepositoryTests
        await userRepository.DeleteAsync(user);
    }

-    [Theory, DatabaseData]
-    public async Task ConfirmOrganizationUserAsync_WhenUserIsInvited_ReturnsFalse(IOrganizationUserRepository organizationUserRepository,
-        IOrganizationRepository organizationRepository)
-    {
-        // Arrange
-        var organization = await organizationRepository.CreateTestOrganizationAsync();
-        var orgUser = await organizationUserRepository.CreateTestOrganizationUserInviteAsync(organization);
-
-        // Act
-        var result = await organizationUserRepository.ConfirmOrganizationUserAsync(orgUser);
-
-        // Assert
-        Assert.False(result);
-        var unchangedUser = await organizationUserRepository.GetByIdAsync(orgUser.Id);
-        Assert.NotNull(unchangedUser);
-        Assert.Equal(OrganizationUserStatusType.Invited, unchangedUser.Status);
-
-        // Annul
-        await organizationRepository.DeleteAsync(organization);
-    }
-
    [Theory, DatabaseData]
    public async Task ConfirmOrganizationUserAsync_WhenUserIsAlreadyConfirmed_ReturnsFalse(IOrganizationUserRepository organizationUserRepository,
        IOrganizationRepository organizationRepository,
@@ -1533,8 +1520,17 @@ public class OrganizationUserRepositoryTests
        var user = await userRepository.CreateTestUserAsync();
        var orgUser = await organizationUserRepository.CreateConfirmedTestOrganizationUserAsync(organization, user);

+        orgUser.Status = OrganizationUserStatusType.Accepted; // To simulate a second call to ConfirmOrganizationUserAsync
+
+        var acceptedOrganizationUser = new AcceptedOrganizationUserToConfirm
+        {
+            OrganizationUserId = orgUser.Id,
+            UserId = user.Id,
+            Key = "test-key"
+        };
+
        // Act
-        var result = await organizationUserRepository.ConfirmOrganizationUserAsync(orgUser);
+        var result = await organizationUserRepository.ConfirmOrganizationUserAsync(acceptedOrganizationUser);

        // Assert
        Assert.False(result);
@@ -1547,30 +1543,6 @@ public class OrganizationUserRepositoryTests
        await userRepository.DeleteAsync(user);
    }

-    [Theory, DatabaseData]
-    public async Task ConfirmOrganizationUserAsync_WhenUserIsRevoked_ReturnsFalse(IOrganizationUserRepository organizationUserRepository,
-        IOrganizationRepository organizationRepository,
-        IUserRepository userRepository)
-    {
-        // Arrange
-        var organization = await organizationRepository.CreateTestOrganizationAsync();
-        var user = await userRepository.CreateTestUserAsync();
-        var orgUser = await organizationUserRepository.CreateRevokedTestOrganizationUserAsync(organization, user);
-
-        // Act
-        var result = await organizationUserRepository.ConfirmOrganizationUserAsync(orgUser);
-
-        // Assert
-        Assert.False(result);
-        var unchangedUser = await organizationUserRepository.GetByIdAsync(orgUser.Id);
-        Assert.NotNull(unchangedUser);
-        Assert.Equal(OrganizationUserStatusType.Revoked, unchangedUser.Status);
-
-        // Annul
-        await organizationRepository.DeleteAsync(organization);
-        await userRepository.DeleteAsync(user);
-    }
-
    [Theory, DatabaseData]
    public async Task ConfirmOrganizationUserAsync_IsIdempotent_WhenCalledMultipleTimes(
        IOrganizationUserRepository organizationUserRepository,
@@ -1582,9 +1554,16 @@ public class OrganizationUserRepositoryTests
        var user = await userRepository.CreateTestUserAsync();
        var orgUser = await organizationUserRepository.CreateAcceptedTestOrganizationUserAsync(organization, user);

+        var acceptedOrganizationUser = new AcceptedOrganizationUserToConfirm
+        {
+            OrganizationUserId = orgUser.Id,
+            UserId = user.Id,
+            Key = "test-key"
+        };
+
        // Act - First call should confirm
-        var firstResult = await organizationUserRepository.ConfirmOrganizationUserAsync(orgUser);
-        var secondResult = await organizationUserRepository.ConfirmOrganizationUserAsync(orgUser);
+        var firstResult = await organizationUserRepository.ConfirmOrganizationUserAsync(acceptedOrganizationUser);
+        var secondResult = await organizationUserRepository.ConfirmOrganizationUserAsync(acceptedOrganizationUser);

        // Assert
        Assert.True(firstResult);
@@ -1603,14 +1582,11 @@ public class OrganizationUserRepositoryTests
        IOrganizationUserRepository organizationUserRepository)
    {
        // Arrange
-        var nonExistentUser = new OrganizationUser
+        var nonExistentUser = new AcceptedOrganizationUserToConfirm
        {
-            Id = Guid.NewGuid(),
-            OrganizationId = Guid.NewGuid(),
+            OrganizationUserId = Guid.NewGuid(),
            UserId = Guid.NewGuid(),
-            Email = "nonexistent@bitwarden.com",
-            Status = OrganizationUserStatusType.Accepted,
-            Type = OrganizationUserType.Owner
+            Key = "test-key"
        };

        // Act