From 80ee31b4fe8d006abd822e2273f55c5c8f7e3d3c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rui=20Tom=C3=A9?=
 <108268980+r-tome@users.noreply.github.com>
Date: Fri, 5 Dec 2025 14:22:00 +0000
Subject: [PATCH 1/4] [PM-25015] Add performance tests for Admin Console
 endpoints (#6235)

* Add GroupsRecipe to manage group creation and user relationships in organizations

* Add CollectionsRecipe to manage collection creation and user relationships in organizations

* Refactor OrganizationUsersControllerPerformanceTests to enhance performance testing and add new test cases

* Add OrganizationDomainRecipe to add verified domains for organizations

* Add more tests to OrganizationUsersControllerPerformanceTests and enhance seeding logic for organizations

- Updated performance tests to use dynamic domain generation for organization users.
- Refactored seeding methods in OrganizationWithUsersRecipe to accept user status and type.
- Modified AddToOrganization methods in CollectionsRecipe and GroupsRecipe to return created IDs.
- Adjusted DbSeederUtility to align with new seeding method signatures.

* Enhance OrganizationSeeder with additional configuration options and update seat calculation in OrganizationWithUsersRecipe to ensure a minimum of 1000 seats.

* Add performance tests for Groups, Organizations, Organization Users, and Provider Organizations controllers

- Introduced `GroupsControllerPerformanceTests` to validate the performance of the PutGroupAsync method.
- Added `OrganizationsControllerPerformanceTests` with multiple tests including DeleteOrganizationAsync, DeleteOrganizationWithTokenAsync, PostStorageAsync, and CreateWithoutPaymentAsync.
- Enhanced `OrganizationUsersControllerPerformanceTests` with DeleteSingleUserAccountAsync and InviteUsersAsync methods to test user account deletion and bulk invitations.
- Created `ProviderOrganizationsControllerPerformanceTests` to assess the performance of deleting provider organizations.

These tests ensure the reliability and efficiency of the respective controller actions under various scenarios.

* Refactor GroupsControllerPerformanceTests to use parameterized tests

- Renamed `GroupsControllerPerformanceTest` to `GroupsControllerPerformanceTests` for consistency.
- Updated `PutGroupAsync` method to use `[Theory]` with `InlineData` for dynamic user and collection counts.
- Adjusted organization user and collection seeding logic to utilize the new parameters.
- Enhanced logging to provide clearer performance metrics during tests.

* Update domain generation in GroupsControllerPerformanceTests for improved test consistency

* Remove ProviderOrganizationsControllerPerformanceTests

* Refactor performance tests for Groups, Organizations, and Organization Users controllers

- Updated method names for clarity and consistency, e.g., `PutGroupAsync` to `UpdateGroup_WithUsersAndCollections`.
- Enhanced test documentation with XML comments to describe the purpose of each test.
- Improved domain generation logic for consistency across tests.
- Adjusted logging to provide detailed performance metrics during test execution.
- Renamed several test methods to better reflect their functionality.

* Refactor performance tests in Organizations and Organization Users controllers

- Updated tests to use parameterized `[Theory]` attributes with `InlineData` for dynamic user, collection, and group counts.
- Enhanced logging to include detailed metrics such as user and collection counts during test execution.
- Marked several tests as skipped for performance considerations.
- Removed unused code and improved organization of test methods for clarity.

* Add bulk reinvite users performance test to OrganizationUsersControllerPerformanceTests

- Implemented a new performance test for the POST /organizations/{orgId}/users/reinvite endpoint.
- Utilized parameterized testing with `[Theory]` and `InlineData` to evaluate performance with varying user counts.
- Enhanced logging to capture request duration and response status for better performance insights.
- Updated OrganizationSeeder to conditionally set email based on user status during seeding.

* Refactor domain generation in performance tests to use OrganizationTestHelpers

- Updated domain generation logic in GroupsControllerPerformanceTests, OrganizationsControllerPerformanceTests, and OrganizationUsersControllerPerformanceTests to utilize the new GenerateRandomDomain method from OrganizationTestHelpers.
- This change enhances consistency and readability across the tests by centralizing domain generation logic.

* Update CollectionsRecipe to have better readability

* Update GroupsRecipe to have better readability

* Refactor authentication in performance tests to use centralized helper method. This change reduces code duplication across Groups, Organizations, and OrganizationUsers controller tests by implementing the `AuthenticateClientAsync` method in a new `PerformanceTestHelpers` class.

* Refactor OrganizationUsersControllerPerformanceTests to filter organization users by OrganizationId.

* Refactor CreateOrganizationUser method to improve handling of user status and key assignment based on invitation and confirmation states.

* Add XML documentation for CreateOrganizationUser method to clarify user status handling
---
 .../GroupsControllerPerformanceTests.cs       |  63 ++
 ...nizationUsersControllerPerformanceTests.cs | 578 +++++++++++++++++-
 ...OrganizationsControllerPerformanceTests.cs | 163 +++++
 .../Helpers/OrganizationTestHelpers.cs        |   9 +
 .../Helpers/PerformanceTestHelpers.cs         |  32 +
 util/DbSeederUtility/Program.cs               |   2 +-
 util/Seeder/Factories/OrganizationSeeder.cs   |  46 +-
 util/Seeder/Recipes/CollectionsRecipe.cs      | 122 ++++
 util/Seeder/Recipes/GroupsRecipe.cs           |  94 +++
 .../Recipes/OrganizationDomainRecipe.cs       |  25 +
 .../Recipes/OrganizationWithUsersRecipe.cs    |  18 +-
 11 files changed, 1124 insertions(+), 28 deletions(-)
 create mode 100644 test/Api.IntegrationTest/AdminConsole/Controllers/GroupsControllerPerformanceTests.cs
 create mode 100644 test/Api.IntegrationTest/AdminConsole/Controllers/OrganizationsControllerPerformanceTests.cs
 create mode 100644 test/Api.IntegrationTest/Helpers/PerformanceTestHelpers.cs
 create mode 100644 util/Seeder/Recipes/CollectionsRecipe.cs
 create mode 100644 util/Seeder/Recipes/GroupsRecipe.cs
 create mode 100644 util/Seeder/Recipes/OrganizationDomainRecipe.cs

diff --git a/test/Api.IntegrationTest/AdminConsole/Controllers/GroupsControllerPerformanceTests.cs b/test/Api.IntegrationTest/AdminConsole/Controllers/GroupsControllerPerformanceTests.cs
new file mode 100644
index 0000000000..71c6bf104c
--- /dev/null
+++ b/test/Api.IntegrationTest/AdminConsole/Controllers/GroupsControllerPerformanceTests.cs
@@ -0,0 +1,63 @@
+using System.Net;
+using System.Text;
+using System.Text.Json;
+using Bit.Api.AdminConsole.Models.Request;
+using Bit.Api.IntegrationTest.Factories;
+using Bit.Api.IntegrationTest.Helpers;
+using Bit.Api.Models.Request;
+using Bit.Seeder.Recipes;
+using Xunit;
+using Xunit.Abstractions;
+
+namespace Bit.Api.IntegrationTest.AdminConsole.Controllers;
+
+public class GroupsControllerPerformanceTests(ITestOutputHelper testOutputHelper)
+{
+    /// <summary>
+    /// Tests PUT /organizations/{orgId}/groups/{id}
+    /// </summary>
+    [Theory(Skip = "Performance test")]
+    [InlineData(10, 5)]
+    //[InlineData(100, 10)]
+    //[InlineData(1000, 20)]
+    public async Task UpdateGroup_WithUsersAndCollections(int userCount, int collectionCount)
+    {
+        await using var factory = new SqlServerApiApplicationFactory();
+        var client = factory.CreateClient();
+
+        var db = factory.GetDatabaseContext();
+        var orgSeeder = new OrganizationWithUsersRecipe(db);
+        var collectionsSeeder = new CollectionsRecipe(db);
+        var groupsSeeder = new GroupsRecipe(db);
+
+        var domain = OrganizationTestHelpers.GenerateRandomDomain();
+        var orgId = orgSeeder.Seed(name: "Org", domain: domain, users: userCount);
+
+        var orgUserIds = db.OrganizationUsers.Where(ou => ou.OrganizationId == orgId).Select(ou => ou.Id).ToList();
+        var collectionIds = collectionsSeeder.AddToOrganization(orgId, collectionCount, orgUserIds, 0);
+        var groupIds = groupsSeeder.AddToOrganization(orgId, 1, orgUserIds, 0);
+
+        var groupId = groupIds.First();
+
+        await PerformanceTestHelpers.AuthenticateClientAsync(factory, client, $"owner@{domain}");
+
+        var updateRequest = new GroupRequestModel
+        {
+            Name = "Updated Group Name",
+            Collections = collectionIds.Select(c => new SelectionReadOnlyRequestModel { Id = c, ReadOnly = false, HidePasswords = false, Manage = false }),
+            Users = orgUserIds
+        };
+
+        var requestContent = new StringContent(JsonSerializer.Serialize(updateRequest), Encoding.UTF8, "application/json");
+
+        var stopwatch = System.Diagnostics.Stopwatch.StartNew();
+
+        var response = await client.PutAsync($"/organizations/{orgId}/groups/{groupId}", requestContent);
+
+        stopwatch.Stop();
+
+        testOutputHelper.WriteLine($"PUT /organizations/{{orgId}}/groups/{{id}} - Users: {orgUserIds.Count}; Collections: {collectionIds.Count}; Request duration: {stopwatch.ElapsedMilliseconds} ms; Status: {response.StatusCode}");
+
+        Assert.Equal(HttpStatusCode.OK, response.StatusCode);
+    }
+}
diff --git a/test/Api.IntegrationTest/AdminConsole/Controllers/OrganizationUsersControllerPerformanceTests.cs b/test/Api.IntegrationTest/AdminConsole/Controllers/OrganizationUsersControllerPerformanceTests.cs
index d77a41f52e..fc64930777 100644
--- a/test/Api.IntegrationTest/AdminConsole/Controllers/OrganizationUsersControllerPerformanceTests.cs
+++ b/test/Api.IntegrationTest/AdminConsole/Controllers/OrganizationUsersControllerPerformanceTests.cs
@@ -1,39 +1,593 @@
 using System.Net;
-using System.Net.Http.Headers;
+using System.Text;
+using System.Text.Json;
+using Bit.Api.AdminConsole.Models.Request.Organizations;
 using Bit.Api.IntegrationTest.Factories;
+using Bit.Api.IntegrationTest.Helpers;
+using Bit.Api.Models.Request;
+using Bit.Core.Enums;
+using Bit.Core.Models.Data;
 using Bit.Seeder.Recipes;
 using Xunit;
 using Xunit.Abstractions;
 
 namespace Bit.Api.IntegrationTest.AdminConsole.Controllers;
 
-public class OrganizationUsersControllerPerformanceTest(ITestOutputHelper testOutputHelper)
+public class OrganizationUsersControllerPerformanceTests(ITestOutputHelper testOutputHelper)
 {
+    /// <summary>
+    /// Tests GET /organizations/{orgId}/users?includeCollections=true
+    /// </summary>
     [Theory(Skip = "Performance test")]
-    [InlineData(100)]
-    [InlineData(60000)]
-    public async Task GetAsync(int seats)
+    [InlineData(10)]
+    //[InlineData(100)]
+    //[InlineData(1000)]
+    public async Task GetAllUsers_WithCollections(int seats)
     {
         await using var factory = new SqlServerApiApplicationFactory();
         var client = factory.CreateClient();
 
         var db = factory.GetDatabaseContext();
-        var seeder = new OrganizationWithUsersRecipe(db);
+        var orgSeeder = new OrganizationWithUsersRecipe(db);
+        var collectionsSeeder = new CollectionsRecipe(db);
+        var groupsSeeder = new GroupsRecipe(db);
 
-        var orgId = seeder.Seed("Org", seats, "large.test");
+        var domain = OrganizationTestHelpers.GenerateRandomDomain();
 
-        var tokens = await factory.LoginAsync("admin@large.test", "c55hlJ/cfdvTd4awTXUqow6X3cOQCfGwn11o3HblnPs=");
-        client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", tokens.Token);
+        var orgId = orgSeeder.Seed(name: "Org", domain: domain, users: seats);
+
+        var orgUserIds = db.OrganizationUsers.Where(ou => ou.OrganizationId == orgId).Select(ou => ou.Id).ToList();
+        collectionsSeeder.AddToOrganization(orgId, 10, orgUserIds);
+        groupsSeeder.AddToOrganization(orgId, 5, orgUserIds);
+
+        await PerformanceTestHelpers.AuthenticateClientAsync(factory, client, $"owner@{domain}");
 
         var stopwatch = System.Diagnostics.Stopwatch.StartNew();
 
         var response = await client.GetAsync($"/organizations/{orgId}/users?includeCollections=true");
         Assert.Equal(HttpStatusCode.OK, response.StatusCode);
 
-        var result = await response.Content.ReadAsStringAsync();
-        Assert.NotEmpty(result);
+        stopwatch.Stop();
+        testOutputHelper.WriteLine($"GET /users - Seats: {seats}; Request duration: {stopwatch.ElapsedMilliseconds} ms");
+    }
+
+    /// <summary>
+    /// Tests GET /organizations/{orgId}/users/mini-details
+    /// </summary>
+    [Theory(Skip = "Performance test")]
+    [InlineData(10)]
+    //[InlineData(100)]
+    //[InlineData(1000)]
+    public async Task GetAllUsers_MiniDetails(int seats)
+    {
+        await using var factory = new SqlServerApiApplicationFactory();
+        var client = factory.CreateClient();
+
+        var db = factory.GetDatabaseContext();
+        var orgSeeder = new OrganizationWithUsersRecipe(db);
+        var collectionsSeeder = new CollectionsRecipe(db);
+        var groupsSeeder = new GroupsRecipe(db);
+
+        var domain = OrganizationTestHelpers.GenerateRandomDomain();
+        var orgId = orgSeeder.Seed(name: "Org", domain: domain, users: seats);
+
+        var orgUserIds = db.OrganizationUsers.Where(ou => ou.OrganizationId == orgId).Select(ou => ou.Id).ToList();
+        collectionsSeeder.AddToOrganization(orgId, 10, orgUserIds);
+        groupsSeeder.AddToOrganization(orgId, 5, orgUserIds);
+
+        await PerformanceTestHelpers.AuthenticateClientAsync(factory, client, $"owner@{domain}");
+
+        var stopwatch = System.Diagnostics.Stopwatch.StartNew();
+
+        var response = await client.GetAsync($"/organizations/{orgId}/users/mini-details");
 
         stopwatch.Stop();
-        testOutputHelper.WriteLine($"Seed: {seats}; Request duration: {stopwatch.ElapsedMilliseconds} ms");
+
+        testOutputHelper.WriteLine($"GET /users/mini-details - Seats: {seats}; Request duration: {stopwatch.ElapsedMilliseconds} ms");
+
+        Assert.Equal(HttpStatusCode.OK, response.StatusCode);
+    }
+
+    /// <summary>
+    /// Tests GET /organizations/{orgId}/users/{id}?includeGroups=true
+    /// </summary>
+    [Fact(Skip = "Performance test")]
+    public async Task GetSingleUser_WithGroups()
+    {
+        await using var factory = new SqlServerApiApplicationFactory();
+        var client = factory.CreateClient();
+
+        var db = factory.GetDatabaseContext();
+        var orgSeeder = new OrganizationWithUsersRecipe(db);
+        var groupsSeeder = new GroupsRecipe(db);
+
+        var domain = OrganizationTestHelpers.GenerateRandomDomain();
+        var orgId = orgSeeder.Seed(name: "Org", domain: domain, users: 1);
+
+        var orgUserId = db.OrganizationUsers.Where(ou => ou.OrganizationId == orgId).Select(ou => ou.Id).FirstOrDefault();
+        groupsSeeder.AddToOrganization(orgId, 2, [orgUserId]);
+
+        await PerformanceTestHelpers.AuthenticateClientAsync(factory, client, $"owner@{domain}");
+
+        var stopwatch = System.Diagnostics.Stopwatch.StartNew();
+
+        var response = await client.GetAsync($"/organizations/{orgId}/users/{orgUserId}?includeGroups=true");
+
+        stopwatch.Stop();
+
+        testOutputHelper.WriteLine($"GET /users/{{id}} - Request duration: {stopwatch.ElapsedMilliseconds} ms");
+
+        Assert.Equal(HttpStatusCode.OK, response.StatusCode);
+    }
+
+    /// <summary>
+    /// Tests GET /organizations/{orgId}/users/{id}/reset-password-details
+    /// </summary>
+    [Fact(Skip = "Performance test")]
+    public async Task GetResetPasswordDetails_ForSingleUser()
+    {
+        await using var factory = new SqlServerApiApplicationFactory();
+        var client = factory.CreateClient();
+
+        var db = factory.GetDatabaseContext();
+        var orgSeeder = new OrganizationWithUsersRecipe(db);
+
+        var domain = OrganizationTestHelpers.GenerateRandomDomain();
+        var orgId = orgSeeder.Seed(name: "Org", domain: domain, users: 1);
+
+        var orgUserId = db.OrganizationUsers.Where(ou => ou.OrganizationId == orgId).Select(ou => ou.Id).FirstOrDefault();
+
+        await PerformanceTestHelpers.AuthenticateClientAsync(factory, client, $"owner@{domain}");
+
+        var stopwatch = System.Diagnostics.Stopwatch.StartNew();
+
+        var response = await client.GetAsync($"/organizations/{orgId}/users/{orgUserId}/reset-password-details");
+
+        stopwatch.Stop();
+
+        testOutputHelper.WriteLine($"GET /users/{{id}}/reset-password-details - Request duration: {stopwatch.ElapsedMilliseconds} ms; Status: {response.StatusCode}");
+
+        Assert.Equal(HttpStatusCode.OK, response.StatusCode);
+    }
+
+    /// <summary>
+    /// Tests POST /organizations/{orgId}/users/confirm
+    /// </summary>
+    [Theory(Skip = "Performance test")]
+    [InlineData(10)]
+    //[InlineData(100)]
+    //[InlineData(1000)]
+    public async Task BulkConfirmUsers(int userCount)
+    {
+        await using var factory = new SqlServerApiApplicationFactory();
+        var client = factory.CreateClient();
+
+        var db = factory.GetDatabaseContext();
+        var orgSeeder = new OrganizationWithUsersRecipe(db);
+
+        var domain = OrganizationTestHelpers.GenerateRandomDomain();
+        var orgId = orgSeeder.Seed(
+            name: "Org",
+            domain: domain,
+            users: userCount,
+            usersStatus: OrganizationUserStatusType.Accepted);
+
+        await PerformanceTestHelpers.AuthenticateClientAsync(factory, client, $"owner@{domain}");
+
+        var acceptedUserIds = db.OrganizationUsers
+            .Where(ou => ou.OrganizationId == orgId && ou.Status == OrganizationUserStatusType.Accepted)
+            .Select(ou => ou.Id)
+            .ToList();
+
+        var confirmRequest = new OrganizationUserBulkConfirmRequestModel
+        {
+            Keys = acceptedUserIds.Select(id => new OrganizationUserBulkConfirmRequestModelEntry { Id = id, Key = "test-key-" + id }),
+            DefaultUserCollectionName = "2.AOs41Hd8OQiCPXjyJKCiDA==|O6OHgt2U2hJGBSNGnimJmg==|iD33s8B69C8JhYYhSa4V1tArjvLr8eEaGqOV7BRo5Jk="
+        };
+
+        var requestContent = new StringContent(JsonSerializer.Serialize(confirmRequest), Encoding.UTF8, "application/json");
+
+        var stopwatch = System.Diagnostics.Stopwatch.StartNew();
+
+        var response = await client.PostAsync($"/organizations/{orgId}/users/confirm", requestContent);
+
+        stopwatch.Stop();
+
+        testOutputHelper.WriteLine($"POST /users/confirm - Users: {acceptedUserIds.Count}; Request duration: {stopwatch.ElapsedMilliseconds} ms; Status: {response.StatusCode}");
+
+        Assert.True(response.IsSuccessStatusCode);
+    }
+
+    /// <summary>
+    /// Tests POST /organizations/{orgId}/users/remove
+    /// </summary>
+    [Theory(Skip = "Performance test")]
+    [InlineData(10)]
+    //[InlineData(100)]
+    //[InlineData(1000)]
+    public async Task BulkRemoveUsers(int userCount)
+    {
+        await using var factory = new SqlServerApiApplicationFactory();
+        var client = factory.CreateClient();
+
+        var db = factory.GetDatabaseContext();
+        var orgSeeder = new OrganizationWithUsersRecipe(db);
+
+        var domain = OrganizationTestHelpers.GenerateRandomDomain();
+        var orgId = orgSeeder.Seed(name: "Org", domain: domain, users: userCount);
+
+        await PerformanceTestHelpers.AuthenticateClientAsync(factory, client, $"owner@{domain}");
+
+        var usersToRemove = db.OrganizationUsers
+            .Where(ou => ou.OrganizationId == orgId && ou.Type == OrganizationUserType.User)
+            .Select(ou => ou.Id)
+            .ToList();
+
+        var removeRequest = new OrganizationUserBulkRequestModel { Ids = usersToRemove };
+
+        var stopwatch = System.Diagnostics.Stopwatch.StartNew();
+
+        var requestContent = new StringContent(JsonSerializer.Serialize(removeRequest), Encoding.UTF8, "application/json");
+
+        var response = await client.PostAsync($"/organizations/{orgId}/users/remove", requestContent);
+
+        stopwatch.Stop();
+
+        testOutputHelper.WriteLine($"POST /users/remove - Users: {usersToRemove.Count}; Request duration: {stopwatch.ElapsedMilliseconds} ms; Status: {response.StatusCode}");
+
+        Assert.True(response.IsSuccessStatusCode);
+    }
+
+    /// <summary>
+    /// Tests PUT /organizations/{orgId}/users/revoke
+    /// </summary>
+    [Theory(Skip = "Performance test")]
+    [InlineData(10)]
+    //[InlineData(100)]
+    //[InlineData(1000)]
+    public async Task BulkRevokeUsers(int userCount)
+    {
+        await using var factory = new SqlServerApiApplicationFactory();
+        var client = factory.CreateClient();
+
+        var db = factory.GetDatabaseContext();
+        var orgSeeder = new OrganizationWithUsersRecipe(db);
+
+        var domain = OrganizationTestHelpers.GenerateRandomDomain();
+        var orgId = orgSeeder.Seed(
+            name: "Org",
+            domain: domain,
+            users: userCount,
+            usersStatus: OrganizationUserStatusType.Confirmed);
+
+        await PerformanceTestHelpers.AuthenticateClientAsync(factory, client, $"owner@{domain}");
+
+        var usersToRevoke = db.OrganizationUsers
+            .Where(ou => ou.OrganizationId == orgId && ou.Type == OrganizationUserType.User)
+            .Select(ou => ou.Id)
+            .ToList();
+
+        var revokeRequest = new OrganizationUserBulkRequestModel { Ids = usersToRevoke };
+
+        var requestContent = new StringContent(JsonSerializer.Serialize(revokeRequest), Encoding.UTF8, "application/json");
+
+        var stopwatch = System.Diagnostics.Stopwatch.StartNew();
+
+        var response = await client.PutAsync($"/organizations/{orgId}/users/revoke", requestContent);
+
+        stopwatch.Stop();
+
+        testOutputHelper.WriteLine($"PUT /users/revoke - Users: {usersToRevoke.Count}; Request duration: {stopwatch.ElapsedMilliseconds} ms; Status: {response.StatusCode}");
+
+        Assert.True(response.IsSuccessStatusCode);
+    }
+
+    /// <summary>
+    /// Tests PUT /organizations/{orgId}/users/restore
+    /// </summary>
+    [Theory(Skip = "Performance test")]
+    [InlineData(10)]
+    //[InlineData(100)]
+    //[InlineData(1000)]
+    public async Task BulkRestoreUsers(int userCount)
+    {
+        await using var factory = new SqlServerApiApplicationFactory();
+        var client = factory.CreateClient();
+
+        var db = factory.GetDatabaseContext();
+        var orgSeeder = new OrganizationWithUsersRecipe(db);
+
+        var domain = OrganizationTestHelpers.GenerateRandomDomain();
+        var orgId = orgSeeder.Seed(
+            name: "Org",
+            domain: domain,
+            users: userCount,
+            usersStatus: OrganizationUserStatusType.Revoked);
+
+        await PerformanceTestHelpers.AuthenticateClientAsync(factory, client, $"owner@{domain}");
+
+        var usersToRestore = db.OrganizationUsers
+            .Where(ou => ou.OrganizationId == orgId && ou.Type == OrganizationUserType.User)
+            .Select(ou => ou.Id)
+            .ToList();
+
+        var restoreRequest = new OrganizationUserBulkRequestModel { Ids = usersToRestore };
+
+        var requestContent = new StringContent(JsonSerializer.Serialize(restoreRequest), Encoding.UTF8, "application/json");
+
+        var stopwatch = System.Diagnostics.Stopwatch.StartNew();
+
+        var response = await client.PutAsync($"/organizations/{orgId}/users/restore", requestContent);
+
+        stopwatch.Stop();
+
+        testOutputHelper.WriteLine($"PUT /users/restore - Users: {usersToRestore.Count}; Request duration: {stopwatch.ElapsedMilliseconds} ms; Status: {response.StatusCode}");
+
+        Assert.True(response.IsSuccessStatusCode);
+    }
+
+    /// <summary>
+    /// Tests POST /organizations/{orgId}/users/delete-account
+    /// </summary>
+    [Theory(Skip = "Performance test")]
+    [InlineData(10)]
+    //[InlineData(100)]
+    //[InlineData(1000)]
+    public async Task BulkDeleteAccounts(int userCount)
+    {
+        await using var factory = new SqlServerApiApplicationFactory();
+        var client = factory.CreateClient();
+
+        var db = factory.GetDatabaseContext();
+        var orgSeeder = new OrganizationWithUsersRecipe(db);
+        var domainSeeder = new OrganizationDomainRecipe(db);
+
+        var domain = OrganizationTestHelpers.GenerateRandomDomain();
+
+        var orgId = orgSeeder.Seed(
+            name: "Org",
+            domain: domain,
+            users: userCount,
+            usersStatus: OrganizationUserStatusType.Confirmed);
+
+        domainSeeder.AddVerifiedDomainToOrganization(orgId, domain);
+
+        await PerformanceTestHelpers.AuthenticateClientAsync(factory, client, $"owner@{domain}");
+
+        var usersToDelete = db.OrganizationUsers
+            .Where(ou => ou.OrganizationId == orgId && ou.Type == OrganizationUserType.User)
+            .Select(ou => ou.Id)
+            .ToList();
+
+        var deleteRequest = new OrganizationUserBulkRequestModel { Ids = usersToDelete };
+
+        var requestContent = new StringContent(JsonSerializer.Serialize(deleteRequest), Encoding.UTF8, "application/json");
+
+        var stopwatch = System.Diagnostics.Stopwatch.StartNew();
+
+        var response = await client.PostAsync($"/organizations/{orgId}/users/delete-account", requestContent);
+
+        stopwatch.Stop();
+
+        testOutputHelper.WriteLine($"POST /users/delete-account - Users: {usersToDelete.Count}; Request duration: {stopwatch.ElapsedMilliseconds} ms; Status: {response.StatusCode}");
+
+        Assert.True(response.IsSuccessStatusCode);
+    }
+
+    /// <summary>
+    /// Tests PUT /organizations/{orgId}/users/{id}
+    /// </summary>
+    [Fact(Skip = "Performance test")]
+    public async Task UpdateSingleUser_WithCollectionsAndGroups()
+    {
+        await using var factory = new SqlServerApiApplicationFactory();
+        var client = factory.CreateClient();
+
+        var db = factory.GetDatabaseContext();
+        var orgSeeder = new OrganizationWithUsersRecipe(db);
+        var collectionsSeeder = new CollectionsRecipe(db);
+        var groupsSeeder = new GroupsRecipe(db);
+
+        var domain = OrganizationTestHelpers.GenerateRandomDomain();
+        var orgId = orgSeeder.Seed(name: "Org", domain: domain, users: 1);
+
+        var orgUserIds = db.OrganizationUsers.Where(ou => ou.OrganizationId == orgId).Select(ou => ou.Id).ToList();
+        var collectionIds = collectionsSeeder.AddToOrganization(orgId, 3, orgUserIds, 0);
+        var groupIds = groupsSeeder.AddToOrganization(orgId, 2, orgUserIds, 0);
+
+        await PerformanceTestHelpers.AuthenticateClientAsync(factory, client, $"owner@{domain}");
+
+        var userToUpdate = db.OrganizationUsers
+            .FirstOrDefault(ou => ou.OrganizationId == orgId && ou.Type == OrganizationUserType.User);
+
+        var updateRequest = new OrganizationUserUpdateRequestModel
+        {
+            Type = OrganizationUserType.Custom,
+            Collections = collectionIds.Select(c => new SelectionReadOnlyRequestModel { Id = c, ReadOnly = false, HidePasswords = false, Manage = false }),
+            Groups = groupIds,
+            AccessSecretsManager = false,
+            Permissions = new Permissions { AccessEventLogs = true }
+        };
+
+        var stopwatch = System.Diagnostics.Stopwatch.StartNew();
+
+        var response = await client.PutAsync($"/organizations/{orgId}/users/{userToUpdate.Id}",
+            new StringContent(JsonSerializer.Serialize(updateRequest), Encoding.UTF8, "application/json"));
+
+        stopwatch.Stop();
+
+        testOutputHelper.WriteLine($"PUT /users/{{id}} - Collections: {collectionIds.Count}; Groups: {groupIds.Count}; Request duration: {stopwatch.ElapsedMilliseconds} ms; Status: {response.StatusCode}");
+
+        Assert.True(response.IsSuccessStatusCode);
+    }
+
+    /// <summary>
+    /// Tests PUT /organizations/{orgId}/users/enable-secrets-manager
+    /// </summary>
+    [Theory(Skip = "Performance test")]
+    [InlineData(10)]
+    //[InlineData(100)]
+    //[InlineData(1000)]
+    public async Task BulkEnableSecretsManager(int userCount)
+    {
+        await using var factory = new SqlServerApiApplicationFactory();
+        var client = factory.CreateClient();
+
+        var db = factory.GetDatabaseContext();
+        var orgSeeder = new OrganizationWithUsersRecipe(db);
+
+        var domain = OrganizationTestHelpers.GenerateRandomDomain();
+        var orgId = orgSeeder.Seed(name: "Org", domain: domain, users: userCount);
+
+        await PerformanceTestHelpers.AuthenticateClientAsync(factory, client, $"owner@{domain}");
+
+        var usersToEnable = db.OrganizationUsers
+            .Where(ou => ou.OrganizationId == orgId && ou.Type == OrganizationUserType.User)
+            .Select(ou => ou.Id)
+            .ToList();
+
+        var enableRequest = new OrganizationUserBulkRequestModel { Ids = usersToEnable };
+
+        var requestContent = new StringContent(JsonSerializer.Serialize(enableRequest), Encoding.UTF8, "application/json");
+
+        var stopwatch = System.Diagnostics.Stopwatch.StartNew();
+
+        var response = await client.PutAsync($"/organizations/{orgId}/users/enable-secrets-manager", requestContent);
+
+        stopwatch.Stop();
+
+        testOutputHelper.WriteLine($"PUT /users/enable-secrets-manager - Users: {usersToEnable.Count}; Request duration: {stopwatch.ElapsedMilliseconds} ms; Status: {response.StatusCode}");
+
+        Assert.True(response.IsSuccessStatusCode);
+    }
+
+    /// <summary>
+    /// Tests DELETE /organizations/{orgId}/users/{id}/delete-account
+    /// </summary>
+    [Fact(Skip = "Performance test")]
+    public async Task DeleteSingleUserAccount_FromVerifiedDomain()
+    {
+        await using var factory = new SqlServerApiApplicationFactory();
+        var client = factory.CreateClient();
+
+        var db = factory.GetDatabaseContext();
+        var orgSeeder = new OrganizationWithUsersRecipe(db);
+        var domainSeeder = new OrganizationDomainRecipe(db);
+
+        var domain = OrganizationTestHelpers.GenerateRandomDomain();
+        var orgId = orgSeeder.Seed(
+            name: "Org",
+            domain: domain,
+            users: 2,
+            usersStatus: OrganizationUserStatusType.Confirmed);
+
+        domainSeeder.AddVerifiedDomainToOrganization(orgId, domain);
+
+        await PerformanceTestHelpers.AuthenticateClientAsync(factory, client, $"owner@{domain}");
+
+        var userToDelete = db.OrganizationUsers
+            .FirstOrDefault(ou => ou.OrganizationId == orgId && ou.Type == OrganizationUserType.User);
+
+        var stopwatch = System.Diagnostics.Stopwatch.StartNew();
+
+        var response = await client.DeleteAsync($"/organizations/{orgId}/users/{userToDelete.Id}/delete-account");
+
+        stopwatch.Stop();
+
+        testOutputHelper.WriteLine($"DELETE /users/{{id}}/delete-account - Request duration: {stopwatch.ElapsedMilliseconds} ms; Status: {response.StatusCode}");
+
+        Assert.Equal(HttpStatusCode.OK, response.StatusCode);
+    }
+
+    /// <summary>
+    /// Tests POST /organizations/{orgId}/users/invite
+    /// </summary>
+    [Theory(Skip = "Performance test")]
+    [InlineData(1)]
+    //[InlineData(5)]
+    //[InlineData(20)]
+    public async Task InviteUsers(int emailCount)
+    {
+        await using var factory = new SqlServerApiApplicationFactory();
+        var client = factory.CreateClient();
+
+        var db = factory.GetDatabaseContext();
+        var orgSeeder = new OrganizationWithUsersRecipe(db);
+        var collectionsSeeder = new CollectionsRecipe(db);
+
+        var domain = OrganizationTestHelpers.GenerateRandomDomain();
+        var orgId = orgSeeder.Seed(name: "Org", domain: domain, users: 1);
+
+        var orgUserIds = db.OrganizationUsers.Where(ou => ou.OrganizationId == orgId).Select(ou => ou.Id).ToList();
+        var collectionIds = collectionsSeeder.AddToOrganization(orgId, 2, orgUserIds, 0);
+
+        await PerformanceTestHelpers.AuthenticateClientAsync(factory, client, $"owner@{domain}");
+
+        var emails = Enumerable.Range(0, emailCount).Select(i => $"{i:D4}@{domain}").ToArray();
+        var inviteRequest = new OrganizationUserInviteRequestModel
+        {
+            Emails = emails,
+            Type = OrganizationUserType.User,
+            AccessSecretsManager = false,
+            Collections = Array.Empty<SelectionReadOnlyRequestModel>(),
+            Groups = Array.Empty<Guid>(),
+            Permissions = null
+        };
+
+        var requestContent = new StringContent(JsonSerializer.Serialize(inviteRequest), Encoding.UTF8, "application/json");
+
+        var stopwatch = System.Diagnostics.Stopwatch.StartNew();
+
+        var response = await client.PostAsync($"/organizations/{orgId}/users/invite", requestContent);
+
+        stopwatch.Stop();
+
+        testOutputHelper.WriteLine($"POST /users/invite - Emails: {emails.Length}; Request duration: {stopwatch.ElapsedMilliseconds} ms; Status: {response.StatusCode}");
+
+        Assert.Equal(HttpStatusCode.OK, response.StatusCode);
+    }
+
+    /// <summary>
+    /// Tests POST /organizations/{orgId}/users/reinvite
+    /// </summary>
+    [Theory(Skip = "Performance test")]
+    [InlineData(10)]
+    //[InlineData(100)]
+    //[InlineData(1000)]
+    public async Task BulkReinviteUsers(int userCount)
+    {
+        await using var factory = new SqlServerApiApplicationFactory();
+        var client = factory.CreateClient();
+
+        var db = factory.GetDatabaseContext();
+        var orgSeeder = new OrganizationWithUsersRecipe(db);
+
+        var domain = OrganizationTestHelpers.GenerateRandomDomain();
+        var orgId = orgSeeder.Seed(
+            name: "Org",
+            domain: domain,
+            users: userCount,
+            usersStatus: OrganizationUserStatusType.Invited);
+
+        await PerformanceTestHelpers.AuthenticateClientAsync(factory, client, $"owner@{domain}");
+
+        var usersToReinvite = db.OrganizationUsers
+            .Where(ou => ou.OrganizationId == orgId && ou.Status == OrganizationUserStatusType.Invited)
+            .Select(ou => ou.Id)
+            .ToList();
+
+        var reinviteRequest = new OrganizationUserBulkRequestModel { Ids = usersToReinvite };
+
+        var requestContent = new StringContent(JsonSerializer.Serialize(reinviteRequest), Encoding.UTF8, "application/json");
+
+        var stopwatch = System.Diagnostics.Stopwatch.StartNew();
+
+        var response = await client.PostAsync($"/organizations/{orgId}/users/reinvite", requestContent);
+
+        stopwatch.Stop();
+
+        testOutputHelper.WriteLine($"POST /users/reinvite - Users: {usersToReinvite.Count}; Request duration: {stopwatch.ElapsedMilliseconds} ms; Status: {response.StatusCode}");
+
+        Assert.True(response.IsSuccessStatusCode);
     }
 }
diff --git a/test/Api.IntegrationTest/AdminConsole/Controllers/OrganizationsControllerPerformanceTests.cs b/test/Api.IntegrationTest/AdminConsole/Controllers/OrganizationsControllerPerformanceTests.cs
new file mode 100644
index 0000000000..238a9a5d53
--- /dev/null
+++ b/test/Api.IntegrationTest/AdminConsole/Controllers/OrganizationsControllerPerformanceTests.cs
@@ -0,0 +1,163 @@
+using System.Net;
+using System.Text;
+using System.Text.Json;
+using Bit.Api.AdminConsole.Models.Request.Organizations;
+using Bit.Api.Auth.Models.Request.Accounts;
+using Bit.Api.IntegrationTest.Factories;
+using Bit.Api.IntegrationTest.Helpers;
+using Bit.Core.AdminConsole.Models.Business.Tokenables;
+using Bit.Core.Billing.Enums;
+using Bit.Core.Tokens;
+using Bit.Seeder.Recipes;
+using Xunit;
+using Xunit.Abstractions;
+
+namespace Bit.Api.IntegrationTest.AdminConsole.Controllers;
+
+public class OrganizationsControllerPerformanceTests(ITestOutputHelper testOutputHelper)
+{
+    /// <summary>
+    /// Tests DELETE /organizations/{id} with password verification
+    /// </summary>
+    [Theory(Skip = "Performance test")]
+    [InlineData(10, 5, 3)]
+    //[InlineData(100, 20, 10)]
+    //[InlineData(1000, 50, 25)]
+    public async Task DeleteOrganization_WithPasswordVerification(int userCount, int collectionCount, int groupCount)
+    {
+        await using var factory = new SqlServerApiApplicationFactory();
+        var client = factory.CreateClient();
+
+        var db = factory.GetDatabaseContext();
+        var orgSeeder = new OrganizationWithUsersRecipe(db);
+        var collectionsSeeder = new CollectionsRecipe(db);
+        var groupsSeeder = new GroupsRecipe(db);
+
+        var domain = OrganizationTestHelpers.GenerateRandomDomain();
+        var orgId = orgSeeder.Seed(name: "Org", domain: domain, users: userCount);
+
+        var orgUserIds = db.OrganizationUsers.Where(ou => ou.OrganizationId == orgId).Select(ou => ou.Id).ToList();
+        collectionsSeeder.AddToOrganization(orgId, collectionCount, orgUserIds, 0);
+        groupsSeeder.AddToOrganization(orgId, groupCount, orgUserIds, 0);
+
+        await PerformanceTestHelpers.AuthenticateClientAsync(factory, client, $"owner@{domain}");
+
+        var deleteRequest = new SecretVerificationRequestModel
+        {
+            MasterPasswordHash = "c55hlJ/cfdvTd4awTXUqow6X3cOQCfGwn11o3HblnPs="
+        };
+
+        var request = new HttpRequestMessage(HttpMethod.Delete, $"/organizations/{orgId}")
+        {
+            Content = new StringContent(JsonSerializer.Serialize(deleteRequest), Encoding.UTF8, "application/json")
+        };
+
+        var stopwatch = System.Diagnostics.Stopwatch.StartNew();
+
+
+        var response = await client.SendAsync(request);
+
+        stopwatch.Stop();
+
+        testOutputHelper.WriteLine($"DELETE /organizations/{{id}} - Users: {userCount}; Collections: {collectionCount}; Groups: {groupCount}; Request duration: {stopwatch.ElapsedMilliseconds} ms; Status: {response.StatusCode}");
+
+        Assert.Equal(HttpStatusCode.OK, response.StatusCode);
+    }
+
+    /// <summary>
+    /// Tests POST /organizations/{id}/delete-recover-token with token verification
+    /// </summary>
+    [Theory(Skip = "Performance test")]
+    [InlineData(10, 5, 3)]
+    //[InlineData(100, 20, 10)]
+    //[InlineData(1000, 50, 25)]
+    public async Task DeleteOrganization_WithTokenVerification(int userCount, int collectionCount, int groupCount)
+    {
+        await using var factory = new SqlServerApiApplicationFactory();
+        var client = factory.CreateClient();
+
+        var db = factory.GetDatabaseContext();
+        var orgSeeder = new OrganizationWithUsersRecipe(db);
+        var collectionsSeeder = new CollectionsRecipe(db);
+        var groupsSeeder = new GroupsRecipe(db);
+
+        var domain = OrganizationTestHelpers.GenerateRandomDomain();
+        var orgId = orgSeeder.Seed(name: "Org", domain: domain, users: userCount);
+
+        var orgUserIds = db.OrganizationUsers.Where(ou => ou.OrganizationId == orgId).Select(ou => ou.Id).ToList();
+        collectionsSeeder.AddToOrganization(orgId, collectionCount, orgUserIds, 0);
+        groupsSeeder.AddToOrganization(orgId, groupCount, orgUserIds, 0);
+
+        await PerformanceTestHelpers.AuthenticateClientAsync(factory, client, $"owner@{domain}");
+
+        var organization = db.Organizations.FirstOrDefault(o => o.Id == orgId);
+        Assert.NotNull(organization);
+
+        var tokenFactory = factory.GetService<IDataProtectorTokenFactory<OrgDeleteTokenable>>();
+        var tokenable = new OrgDeleteTokenable(organization, 24);
+        var token = tokenFactory.Protect(tokenable);
+
+        var deleteRequest = new OrganizationVerifyDeleteRecoverRequestModel
+        {
+            Token = token
+        };
+
+        var requestContent = new StringContent(JsonSerializer.Serialize(deleteRequest), Encoding.UTF8, "application/json");
+
+        var stopwatch = System.Diagnostics.Stopwatch.StartNew();
+
+        var response = await client.PostAsync($"/organizations/{orgId}/delete-recover-token", requestContent);
+
+        stopwatch.Stop();
+
+        testOutputHelper.WriteLine($"POST /organizations/{{id}}/delete-recover-token - Users: {userCount}; Collections: {collectionCount}; Groups: {groupCount}; Request duration: {stopwatch.ElapsedMilliseconds} ms; Status: {response.StatusCode}");
+
+        Assert.Equal(HttpStatusCode.OK, response.StatusCode);
+    }
+
+    /// <summary>
+    /// Tests POST /organizations/create-without-payment
+    /// </summary>
+    [Fact(Skip = "Performance test")]
+    public async Task CreateOrganization_WithoutPayment()
+    {
+        await using var factory = new SqlServerApiApplicationFactory();
+        var client = factory.CreateClient();
+
+        var email = $"user@{OrganizationTestHelpers.GenerateRandomDomain()}";
+        var masterPasswordHash = "c55hlJ/cfdvTd4awTXUqow6X3cOQCfGwn11o3HblnPs=";
+
+        await factory.LoginWithNewAccount(email, masterPasswordHash);
+
+        await PerformanceTestHelpers.AuthenticateClientAsync(factory, client, email, masterPasswordHash);
+
+        var createRequest = new OrganizationNoPaymentCreateRequest
+        {
+            Name = "Test Organization",
+            BusinessName = "Test Business Name",
+            BillingEmail = email,
+            PlanType = PlanType.EnterpriseAnnually,
+            Key = "2.AOs41Hd8OQiCPXjyJKCiDA==|O6OHgt2U2hJGBSNGnimJmg==|iD33s8B69C8JhYYhSa4V1tArjvLr8eEaGqOV7BRo5Jk=",
+            AdditionalSeats = 1,
+            AdditionalStorageGb = 1,
+            UseSecretsManager = true,
+            AdditionalSmSeats = 1,
+            AdditionalServiceAccounts = 2,
+            MaxAutoscaleSeats = 100,
+            PremiumAccessAddon = false,
+            CollectionName = "2.AOs41Hd8OQiCPXjyJKCiDA==|O6OHgt2U2hJGBSNGnimJmg==|iD33s8B69C8JhYYhSa4V1tArjvLr8eEaGqOV7BRo5Jk="
+        };
+
+        var requestContent = new StringContent(JsonSerializer.Serialize(createRequest), Encoding.UTF8, "application/json");
+
+        var stopwatch = System.Diagnostics.Stopwatch.StartNew();
+
+        var response = await client.PostAsync("/organizations/create-without-payment", requestContent);
+
+        stopwatch.Stop();
+
+        testOutputHelper.WriteLine($"POST /organizations/create-without-payment - AdditionalSeats: {createRequest.AdditionalSeats}; AdditionalStorageGb: {createRequest.AdditionalStorageGb}; AdditionalSmSeats: {createRequest.AdditionalSmSeats}; AdditionalServiceAccounts: {createRequest.AdditionalServiceAccounts}; MaxAutoscaleSeats: {createRequest.MaxAutoscaleSeats}; Request duration: {stopwatch.ElapsedMilliseconds} ms; Status: {response.StatusCode}");
+
+        Assert.Equal(HttpStatusCode.OK, response.StatusCode);
+    }
+}
diff --git a/test/Api.IntegrationTest/Helpers/OrganizationTestHelpers.cs b/test/Api.IntegrationTest/Helpers/OrganizationTestHelpers.cs
index c23ebff736..bcde370b24 100644
--- a/test/Api.IntegrationTest/Helpers/OrganizationTestHelpers.cs
+++ b/test/Api.IntegrationTest/Helpers/OrganizationTestHelpers.cs
@@ -192,6 +192,15 @@ public static class OrganizationTestHelpers
         await policyRepository.CreateAsync(policy);
     }
 
+    /// <summary>
+    /// Generates a unique random domain name for testing purposes.
+    /// </summary>
+    /// <returns>A domain string like "a1b2c3d4.com"</returns>
+    public static string GenerateRandomDomain()
+    {
+        return $"{Guid.NewGuid().ToString("N").Substring(0, 8)}.com";
+    }
+
     /// <summary>
     /// Creates a user account without a Master Password and adds them as a member to the specified organization.
     /// </summary>
diff --git a/test/Api.IntegrationTest/Helpers/PerformanceTestHelpers.cs b/test/Api.IntegrationTest/Helpers/PerformanceTestHelpers.cs
new file mode 100644
index 0000000000..ca26266dfa
--- /dev/null
+++ b/test/Api.IntegrationTest/Helpers/PerformanceTestHelpers.cs
@@ -0,0 +1,32 @@
+using System.Net.Http.Headers;
+using Bit.Api.IntegrationTest.Factories;
+
+namespace Bit.Api.IntegrationTest.Helpers;
+
+/// <summary>
+/// Helper methods for performance tests to reduce code duplication.
+/// </summary>
+public static class PerformanceTestHelpers
+{
+    /// <summary>
+    /// Standard password hash used across performance tests.
+    /// </summary>
+    public const string StandardPasswordHash = "c55hlJ/cfdvTd4awTXUqow6X3cOQCfGwn11o3HblnPs=";
+
+    /// <summary>
+    /// Authenticates an HttpClient with a bearer token for the specified user.
+    /// </summary>
+    /// <param name="factory">The application factory to use for login.</param>
+    /// <param name="client">The HttpClient to authenticate.</param>
+    /// <param name="email">The user's email address.</param>
+    /// <param name="masterPasswordHash">The user's master password hash. Defaults to StandardPasswordHash.</param>
+    public static async Task AuthenticateClientAsync(
+        SqlServerApiApplicationFactory factory,
+        HttpClient client,
+        string email,
+        string? masterPasswordHash = null)
+    {
+        var tokens = await factory.LoginAsync(email, masterPasswordHash ?? StandardPasswordHash);
+        client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", tokens.Token);
+    }
+}
diff --git a/util/DbSeederUtility/Program.cs b/util/DbSeederUtility/Program.cs
index 2d75b31934..0b41c1a692 100644
--- a/util/DbSeederUtility/Program.cs
+++ b/util/DbSeederUtility/Program.cs
@@ -34,6 +34,6 @@ public class Program
         var db = scopedServices.GetRequiredService<DatabaseContext>();
 
         var recipe = new OrganizationWithUsersRecipe(db);
-        recipe.Seed(name, users, domain);
+        recipe.Seed(name: name, domain: domain, users: users);
     }
 }
diff --git a/util/Seeder/Factories/OrganizationSeeder.cs b/util/Seeder/Factories/OrganizationSeeder.cs
index f6f05d9525..012661501f 100644
--- a/util/Seeder/Factories/OrganizationSeeder.cs
+++ b/util/Seeder/Factories/OrganizationSeeder.cs
@@ -17,7 +17,31 @@ public class OrganizationSeeder
             Plan = "Enterprise (Annually)",
             PlanType = PlanType.EnterpriseAnnually,
             Seats = seats,
-
+            UseCustomPermissions = true,
+            UseOrganizationDomains = true,
+            UseSecretsManager = true,
+            UseGroups = true,
+            UseDirectory = true,
+            UseEvents = true,
+            UseTotp = true,
+            Use2fa = true,
+            UseApi = true,
+            UseResetPassword = true,
+            UsePasswordManager = true,
+            UseAutomaticUserConfirmation = true,
+            SelfHost = true,
+            UsersGetPremium = true,
+            LimitCollectionCreation = true,
+            LimitCollectionDeletion = true,
+            LimitItemDeletion = true,
+            AllowAdminAccessToAllCollectionItems = true,
+            UseRiskInsights = true,
+            UseAdminSponsoredFamilies = true,
+            SyncSeats = true,
+            Status = OrganizationStatusType.Created,
+            //GatewayCustomerId = "example-customer-id",
+            //GatewaySubscriptionId = "example-subscription-id",
+            MaxStorageGb = 10,
             // Currently hardcoded to the values from https://github.com/bitwarden/sdk-internal/blob/main/crates/bitwarden-core/src/client/test_accounts.rs.
             // TODO: These should be dynamically generated by the SDK.
             PublicKey = "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmIJbGMk6eZqVE7UxhZ46Weu2jKciqOiOkSVYtGvs61rfe9AXxtLaaZEKN4d4DmkZcF6dna2eXNxZmb7U4pwlttye8ksqISe6IUAZQox7auBpjopdCEPhKRg3BD/u8ks9UxSxgWe+fpebjt6gd5hsl1/5HOObn7SeU6EEU04cp3/eH7a4OTdXxB8oN62HGV9kM/ubM1goILgjoSJDbihMK0eb7b8hPHwcA/YOgKKiu/N3FighccdSMD5Pk+HfjacsFNZQa2EsqW09IvvSZ+iL6HQeZ1vwc/6TO1J7EOfJZFQcjoEL9LVI693efYoMZSmrPEWziZ4PvwpOOGo6OObyMQIDAQAB",
@@ -28,17 +52,25 @@ public class OrganizationSeeder
 
 public static class OrgnaizationExtensions
 {
-    public static OrganizationUser CreateOrganizationUser(this Organization organization, User user)
+    /// <summary>
+    /// Creates an OrganizationUser with fields populated based on status.
+    /// For Invited status, only user.Email is used. For other statuses, user.Id is used.
+    /// </summary>
+    public static OrganizationUser CreateOrganizationUser(
+        this Organization organization, User user, OrganizationUserType type, OrganizationUserStatusType status)
     {
+        var isInvited = status == OrganizationUserStatusType.Invited;
+        var isConfirmed = status == OrganizationUserStatusType.Confirmed || status == OrganizationUserStatusType.Revoked;
+
         return new OrganizationUser
         {
             Id = Guid.NewGuid(),
             OrganizationId = organization.Id,
-            UserId = user.Id,
-
-            Key = "4.rY01mZFXHOsBAg5Fq4gyXuklWfm6mQASm42DJpx05a+e2mmp+P5W6r54WU2hlREX0uoTxyP91bKKwickSPdCQQ58J45LXHdr9t2uzOYyjVzpzebFcdMw1eElR9W2DW8wEk9+mvtWvKwu7yTebzND+46y1nRMoFydi5zPVLSlJEf81qZZ4Uh1UUMLwXz+NRWfixnGXgq2wRq1bH0n3mqDhayiG4LJKgGdDjWXC8W8MMXDYx24SIJrJu9KiNEMprJE+XVF9nQVNijNAjlWBqkDpsfaWTUfeVLRLctfAqW1blsmIv4RQ91PupYJZDNc8nO9ZTF3TEVM+2KHoxzDJrLs2Q==",
-            Type = OrganizationUserType.Admin,
-            Status = OrganizationUserStatusType.Confirmed
+            UserId = isInvited ? null : user.Id,
+            Email = isInvited ? user.Email : null,
+            Key = isConfirmed ? "4.rY01mZFXHOsBAg5Fq4gyXuklWfm6mQASm42DJpx05a+e2mmp+P5W6r54WU2hlREX0uoTxyP91bKKwickSPdCQQ58J45LXHdr9t2uzOYyjVzpzebFcdMw1eElR9W2DW8wEk9+mvtWvKwu7yTebzND+46y1nRMoFydi5zPVLSlJEf81qZZ4Uh1UUMLwXz+NRWfixnGXgq2wRq1bH0n3mqDhayiG4LJKgGdDjWXC8W8MMXDYx24SIJrJu9KiNEMprJE+XVF9nQVNijNAjlWBqkDpsfaWTUfeVLRLctfAqW1blsmIv4RQ91PupYJZDNc8nO9ZTF3TEVM+2KHoxzDJrLs2Q==" : null,
+            Type = type,
+            Status = status
         };
     }
 
diff --git a/util/Seeder/Recipes/CollectionsRecipe.cs b/util/Seeder/Recipes/CollectionsRecipe.cs
new file mode 100644
index 0000000000..e0f9057418
--- /dev/null
+++ b/util/Seeder/Recipes/CollectionsRecipe.cs
@@ -0,0 +1,122 @@
+using Bit.Core.Enums;
+using Bit.Core.Utilities;
+using Bit.Infrastructure.EntityFramework.Repositories;
+using LinqToDB.EntityFrameworkCore;
+
+namespace Bit.Seeder.Recipes;
+
+public class CollectionsRecipe(DatabaseContext db)
+{
+    /// <summary>
+    /// Adds collections to an organization and creates relationships between users and collections.
+    /// </summary>
+    /// <param name="organizationId">The ID of the organization to add collections to.</param>
+    /// <param name="collections">The number of collections to add.</param>
+    /// <param name="organizationUserIds">The IDs of the users to create relationships with.</param>
+    /// <param name="maxUsersWithRelationships">The maximum number of users to create relationships with.</param>
+    public List<Guid> AddToOrganization(Guid organizationId, int collections, List<Guid> organizationUserIds, int maxUsersWithRelationships = 1000)
+    {
+        var collectionList = CreateAndSaveCollections(organizationId, collections);
+
+        if (collectionList.Any())
+        {
+            CreateAndSaveCollectionUserRelationships(collectionList, organizationUserIds, maxUsersWithRelationships);
+        }
+
+        return collectionList.Select(c => c.Id).ToList();
+    }
+
+    private List<Core.Entities.Collection> CreateAndSaveCollections(Guid organizationId, int count)
+    {
+        var collectionList = new List<Core.Entities.Collection>();
+
+        for (var i = 0; i < count; i++)
+        {
+            collectionList.Add(new Core.Entities.Collection
+            {
+                Id = CoreHelpers.GenerateComb(),
+                OrganizationId = organizationId,
+                Name = $"Collection {i + 1}",
+                Type = CollectionType.SharedCollection,
+                CreationDate = DateTime.UtcNow,
+                RevisionDate = DateTime.UtcNow
+            });
+        }
+
+        if (collectionList.Any())
+        {
+            db.BulkCopy(collectionList);
+        }
+
+        return collectionList;
+    }
+
+    private void CreateAndSaveCollectionUserRelationships(
+        List<Core.Entities.Collection> collections,
+        List<Guid> organizationUserIds,
+        int maxUsersWithRelationships)
+    {
+        if (!organizationUserIds.Any() || maxUsersWithRelationships <= 0)
+        {
+            return;
+        }
+
+        var collectionUsers = BuildCollectionUserRelationships(collections, organizationUserIds, maxUsersWithRelationships);
+
+        if (collectionUsers.Any())
+        {
+            db.BulkCopy(collectionUsers);
+        }
+    }
+
+    /// <summary>
+    /// Creates user-to-collection relationships with varied assignment patterns for realistic test data.
+    /// Each user gets 1-3 collections based on a rotating pattern.
+    /// </summary>
+    private List<Core.Entities.CollectionUser> BuildCollectionUserRelationships(
+        List<Core.Entities.Collection> collections,
+        List<Guid> organizationUserIds,
+        int maxUsersWithRelationships)
+    {
+        var maxRelationships = Math.Min(organizationUserIds.Count, maxUsersWithRelationships);
+        var collectionUsers = new List<Core.Entities.CollectionUser>();
+
+        for (var i = 0; i < maxRelationships; i++)
+        {
+            var orgUserId = organizationUserIds[i];
+            var userCollectionAssignments = CreateCollectionAssignmentsForUser(collections, orgUserId, i);
+            collectionUsers.AddRange(userCollectionAssignments);
+        }
+
+        return collectionUsers;
+    }
+
+    /// <summary>
+    /// Assigns collections to a user with varying permissions.
+    /// Pattern: 1-3 collections per user (cycles: 1, 2, 3, 1, 2, 3...).
+    /// First collection has Manage rights, subsequent ones are ReadOnly.
+    /// </summary>
+    private List<Core.Entities.CollectionUser> CreateCollectionAssignmentsForUser(
+        List<Core.Entities.Collection> collections,
+        Guid organizationUserId,
+        int userIndex)
+    {
+        var assignments = new List<Core.Entities.CollectionUser>();
+        var userCollectionCount = (userIndex % 3) + 1; // Cycles through 1, 2, or 3 collections
+
+        for (var j = 0; j < userCollectionCount; j++)
+        {
+            var collectionIndex = (userIndex + j) % collections.Count; // Distribute across available collections
+            assignments.Add(new Core.Entities.CollectionUser
+            {
+                CollectionId = collections[collectionIndex].Id,
+                OrganizationUserId = organizationUserId,
+                ReadOnly = j > 0,      // First assignment gets write access
+                HidePasswords = false,
+                Manage = j == 0        // First assignment gets manage permissions
+            });
+        }
+
+        return assignments;
+    }
+}
diff --git a/util/Seeder/Recipes/GroupsRecipe.cs b/util/Seeder/Recipes/GroupsRecipe.cs
new file mode 100644
index 0000000000..3c8156d921
--- /dev/null
+++ b/util/Seeder/Recipes/GroupsRecipe.cs
@@ -0,0 +1,94 @@
+using Bit.Core.Utilities;
+using Bit.Infrastructure.EntityFramework.Repositories;
+using LinqToDB.EntityFrameworkCore;
+
+namespace Bit.Seeder.Recipes;
+
+public class GroupsRecipe(DatabaseContext db)
+{
+    /// <summary>
+    /// Adds groups to an organization and creates relationships between users and groups.
+    /// </summary>
+    /// <param name="organizationId">The ID of the organization to add groups to.</param>
+    /// <param name="groups">The number of groups to add.</param>
+    /// <param name="organizationUserIds">The IDs of the users to create relationships with.</param>
+    /// <param name="maxUsersWithRelationships">The maximum number of users to create relationships with.</param>
+    public List<Guid> AddToOrganization(Guid organizationId, int groups, List<Guid> organizationUserIds, int maxUsersWithRelationships = 1000)
+    {
+        var groupList = CreateAndSaveGroups(organizationId, groups);
+
+        if (groupList.Any())
+        {
+            CreateAndSaveGroupUserRelationships(groupList, organizationUserIds, maxUsersWithRelationships);
+        }
+
+        return groupList.Select(g => g.Id).ToList();
+    }
+
+    private List<Core.AdminConsole.Entities.Group> CreateAndSaveGroups(Guid organizationId, int count)
+    {
+        var groupList = new List<Core.AdminConsole.Entities.Group>();
+
+        for (var i = 0; i < count; i++)
+        {
+            groupList.Add(new Core.AdminConsole.Entities.Group
+            {
+                Id = CoreHelpers.GenerateComb(),
+                OrganizationId = organizationId,
+                Name = $"Group {i + 1}"
+            });
+        }
+
+        if (groupList.Any())
+        {
+            db.BulkCopy(groupList);
+        }
+
+        return groupList;
+    }
+
+    private void CreateAndSaveGroupUserRelationships(
+        List<Core.AdminConsole.Entities.Group> groups,
+        List<Guid> organizationUserIds,
+        int maxUsersWithRelationships)
+    {
+        if (!organizationUserIds.Any() || maxUsersWithRelationships <= 0)
+        {
+            return;
+        }
+
+        var groupUsers = BuildGroupUserRelationships(groups, organizationUserIds, maxUsersWithRelationships);
+
+        if (groupUsers.Any())
+        {
+            db.BulkCopy(groupUsers);
+        }
+    }
+
+    /// <summary>
+    /// Creates user-to-group relationships with distributed assignment patterns for realistic test data.
+    /// Each user is assigned to one group, distributed evenly across available groups.
+    /// </summary>
+    private List<Core.AdminConsole.Entities.GroupUser> BuildGroupUserRelationships(
+        List<Core.AdminConsole.Entities.Group> groups,
+        List<Guid> organizationUserIds,
+        int maxUsersWithRelationships)
+    {
+        var maxRelationships = Math.Min(organizationUserIds.Count, maxUsersWithRelationships);
+        var groupUsers = new List<Core.AdminConsole.Entities.GroupUser>();
+
+        for (var i = 0; i < maxRelationships; i++)
+        {
+            var orgUserId = organizationUserIds[i];
+            var groupIndex = i % groups.Count; // Round-robin distribution across groups
+
+            groupUsers.Add(new Core.AdminConsole.Entities.GroupUser
+            {
+                GroupId = groups[groupIndex].Id,
+                OrganizationUserId = orgUserId
+            });
+        }
+
+        return groupUsers;
+    }
+}
diff --git a/util/Seeder/Recipes/OrganizationDomainRecipe.cs b/util/Seeder/Recipes/OrganizationDomainRecipe.cs
new file mode 100644
index 0000000000..b62dd5115e
--- /dev/null
+++ b/util/Seeder/Recipes/OrganizationDomainRecipe.cs
@@ -0,0 +1,25 @@
+using Bit.Infrastructure.EntityFramework.Models;
+using Bit.Infrastructure.EntityFramework.Repositories;
+
+namespace Bit.Seeder.Recipes;
+
+public class OrganizationDomainRecipe(DatabaseContext db)
+{
+    public void AddVerifiedDomainToOrganization(Guid organizationId, string domainName)
+    {
+        var domain = new OrganizationDomain
+        {
+            Id = Guid.NewGuid(),
+            OrganizationId = organizationId,
+            DomainName = domainName,
+            Txt = Guid.NewGuid().ToString("N"),
+            CreationDate = DateTime.UtcNow,
+        };
+
+        domain.SetVerifiedDate();
+        domain.SetLastCheckedDate();
+
+        db.Add(domain);
+        db.SaveChanges();
+    }
+}
diff --git a/util/Seeder/Recipes/OrganizationWithUsersRecipe.cs b/util/Seeder/Recipes/OrganizationWithUsersRecipe.cs
index fb06c091ae..7678c3a9ce 100644
--- a/util/Seeder/Recipes/OrganizationWithUsersRecipe.cs
+++ b/util/Seeder/Recipes/OrganizationWithUsersRecipe.cs
@@ -1,4 +1,5 @@
-using Bit.Infrastructure.EntityFramework.Models;
+using Bit.Core.Enums;
+using Bit.Infrastructure.EntityFramework.Models;
 using Bit.Infrastructure.EntityFramework.Repositories;
 using Bit.Seeder.Factories;
 using LinqToDB.EntityFrameworkCore;
@@ -7,11 +8,12 @@ namespace Bit.Seeder.Recipes;
 
 public class OrganizationWithUsersRecipe(DatabaseContext db)
 {
-    public Guid Seed(string name, int users, string domain)
+    public Guid Seed(string name, string domain, int users, OrganizationUserStatusType usersStatus = OrganizationUserStatusType.Confirmed)
     {
-        var organization = OrganizationSeeder.CreateEnterprise(name, domain, users);
-        var user = UserSeeder.CreateUser($"admin@{domain}");
-        var orgUser = organization.CreateOrganizationUser(user);
+        var seats = Math.Max(users + 1, 1000);
+        var organization = OrganizationSeeder.CreateEnterprise(name, domain, seats);
+        var ownerUser = UserSeeder.CreateUser($"owner@{domain}");
+        var ownerOrgUser = organization.CreateOrganizationUser(ownerUser, OrganizationUserType.Owner, OrganizationUserStatusType.Confirmed);
 
         var additionalUsers = new List<User>();
         var additionalOrgUsers = new List<OrganizationUser>();
@@ -19,12 +21,12 @@ public class OrganizationWithUsersRecipe(DatabaseContext db)
         {
             var additionalUser = UserSeeder.CreateUser($"user{i}@{domain}");
             additionalUsers.Add(additionalUser);
-            additionalOrgUsers.Add(organization.CreateOrganizationUser(additionalUser));
+            additionalOrgUsers.Add(organization.CreateOrganizationUser(additionalUser, OrganizationUserType.User, usersStatus));
         }
 
         db.Add(organization);
-        db.Add(user);
-        db.Add(orgUser);
+        db.Add(ownerUser);
+        db.Add(ownerOrgUser);
 
         db.SaveChanges();
 

From 18a8829476230649e5b981a500b737c56a5ae7be Mon Sep 17 00:00:00 2001
From: Jared McCannon <jmccannon@bitwarden.com>
Date: Fri, 5 Dec 2025 08:28:42 -0600
Subject: [PATCH 2/4] [PM-26377] Correcting Auto Confirm Handler Provider Check
 (#6681)

* Fixed bug where providers weren't being checked correctly in auto confirm handler.
---
 ...maticUserConfirmationPolicyEventHandler.cs |  75 ++---
 .../Repositories/IProviderUserRepository.cs   |   1 +
 .../Repositories/ProviderUserRepository.cs    |  12 +
 .../Repositories/ProviderUserRepository.cs    |  14 +
 .../ProviderUser_ReadManyByManyUserIds.sql    |  13 +
 ...UserConfirmationPolicyEventHandlerTests.cs | 310 +++---------------
 .../ProviderUserRepositoryTests.cs            | 282 ++++++++++++++++
 ...-12-03_00_ProviderUserGetManyByUserIds.sql |  13 +
 8 files changed, 398 insertions(+), 322 deletions(-)
 create mode 100644 src/Sql/dbo/Stored Procedures/ProviderUser_ReadManyByManyUserIds.sql
 create mode 100644 util/Migrator/DbScripts/2025-12-03_00_ProviderUserGetManyByUserIds.sql

diff --git a/src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyValidators/AutomaticUserConfirmationPolicyEventHandler.cs b/src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyValidators/AutomaticUserConfirmationPolicyEventHandler.cs
index c0d302df02..86c94147f4 100644
--- a/src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyValidators/AutomaticUserConfirmationPolicyEventHandler.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyValidators/AutomaticUserConfirmationPolicyEventHandler.cs
@@ -4,6 +4,7 @@ using Bit.Core.AdminConsole.OrganizationFeatures.Policies.Models;
 using Bit.Core.AdminConsole.OrganizationFeatures.Policies.PolicyUpdateEvents.Interfaces;
 using Bit.Core.AdminConsole.Repositories;
 using Bit.Core.Enums;
+using Bit.Core.Models.Data.Organizations.OrganizationUsers;
 using Bit.Core.Repositories;
 
 namespace Bit.Core.AdminConsole.OrganizationFeatures.Policies.PolicyValidators;
@@ -17,26 +18,13 @@ namespace Bit.Core.AdminConsole.OrganizationFeatures.Policies.PolicyValidators;
 ///     <li>All organization users are compliant with the Single organization policy</li>
 ///     <li>No provider users exist</li>
 /// </ul>
-///
-/// This class also performs side effects when the policy is being enabled or disabled. They are:
-/// <ul>
-///     <li>Sets the UseAutomaticUserConfirmation organization feature to match the policy update</li>
-/// </ul>
 /// </summary>
 public class AutomaticUserConfirmationPolicyEventHandler(
     IOrganizationUserRepository organizationUserRepository,
-    IProviderUserRepository providerUserRepository,
-    IPolicyRepository policyRepository,
-    IOrganizationRepository organizationRepository,
-    TimeProvider timeProvider)
-    : IPolicyValidator, IPolicyValidationEvent, IOnPolicyPreUpdateEvent, IEnforceDependentPoliciesEvent
+    IProviderUserRepository providerUserRepository)
+    : IPolicyValidator, IPolicyValidationEvent, IEnforceDependentPoliciesEvent
 {
     public PolicyType Type => PolicyType.AutomaticUserConfirmation;
-    public async Task ExecutePreUpsertSideEffectAsync(SavePolicyModel policyRequest, Policy? currentPolicy) =>
-        await OnSaveSideEffectsAsync(policyRequest.PolicyUpdate, currentPolicy);
-
-    private const string _singleOrgPolicyNotEnabledErrorMessage =
-        "The Single organization policy must be enabled before enabling the Automatically confirm invited users policy.";
 
     private const string _usersNotCompliantWithSingleOrgErrorMessage =
         "All organization users must be compliant with the Single organization policy before enabling the Automatically confirm invited users policy. Please remove users who are members of multiple organizations.";
@@ -61,27 +49,20 @@ public class AutomaticUserConfirmationPolicyEventHandler(
     public async Task<string> ValidateAsync(SavePolicyModel savePolicyModel, Policy? currentPolicy) =>
         await ValidateAsync(savePolicyModel.PolicyUpdate, currentPolicy);
 
-    public async Task OnSaveSideEffectsAsync(PolicyUpdate policyUpdate, Policy? currentPolicy)
-    {
-        var organization = await organizationRepository.GetByIdAsync(policyUpdate.OrganizationId);
-
-        if (organization is not null)
-        {
-            organization.UseAutomaticUserConfirmation = policyUpdate.Enabled;
-            organization.RevisionDate = timeProvider.GetUtcNow().UtcDateTime;
-            await organizationRepository.UpsertAsync(organization);
-        }
-    }
+    public Task OnSaveSideEffectsAsync(PolicyUpdate policyUpdate, Policy? currentPolicy) =>
+        Task.CompletedTask;
 
     private async Task<string> ValidateEnablingPolicyAsync(Guid organizationId)
     {
-        var singleOrgValidationError = await ValidateSingleOrgPolicyComplianceAsync(organizationId);
+        var organizationUsers = await organizationUserRepository.GetManyDetailsByOrganizationAsync(organizationId);
+
+        var singleOrgValidationError = await ValidateUserComplianceWithSingleOrgAsync(organizationId, organizationUsers);
         if (!string.IsNullOrWhiteSpace(singleOrgValidationError))
         {
             return singleOrgValidationError;
         }
 
-        var providerValidationError = await ValidateNoProviderUsersAsync(organizationId);
+        var providerValidationError = await ValidateNoProviderUsersAsync(organizationUsers);
         if (!string.IsNullOrWhiteSpace(providerValidationError))
         {
             return providerValidationError;
@@ -90,42 +71,24 @@ public class AutomaticUserConfirmationPolicyEventHandler(
         return string.Empty;
     }
 
-    private async Task<string> ValidateSingleOrgPolicyComplianceAsync(Guid organizationId)
+    private async Task<string> ValidateUserComplianceWithSingleOrgAsync(Guid organizationId,
+        ICollection<OrganizationUserUserDetails> organizationUsers)
     {
-        var singleOrgPolicy = await policyRepository.GetByOrganizationIdTypeAsync(organizationId, PolicyType.SingleOrg);
-        if (singleOrgPolicy is not { Enabled: true })
-        {
-            return _singleOrgPolicyNotEnabledErrorMessage;
-        }
-
-        return await ValidateUserComplianceWithSingleOrgAsync(organizationId);
-    }
-
-    private async Task<string> ValidateUserComplianceWithSingleOrgAsync(Guid organizationId)
-    {
-        var organizationUsers = (await organizationUserRepository.GetManyDetailsByOrganizationAsync(organizationId))
-            .Where(ou => ou.Status != OrganizationUserStatusType.Invited &&
-                         ou.Status != OrganizationUserStatusType.Revoked &&
-                         ou.UserId.HasValue)
-            .ToList();
-
-        if (organizationUsers.Count == 0)
-        {
-            return string.Empty;
-        }
-
         var hasNonCompliantUser = (await organizationUserRepository.GetManyByManyUsersAsync(
                 organizationUsers.Select(ou => ou.UserId!.Value)))
-            .Any(uo => uo.OrganizationId != organizationId &&
-                       uo.Status != OrganizationUserStatusType.Invited);
+            .Any(uo => uo.OrganizationId != organizationId
+                       && uo.Status != OrganizationUserStatusType.Invited);
 
         return hasNonCompliantUser ? _usersNotCompliantWithSingleOrgErrorMessage : string.Empty;
     }
 
-    private async Task<string> ValidateNoProviderUsersAsync(Guid organizationId)
+    private async Task<string> ValidateNoProviderUsersAsync(ICollection<OrganizationUserUserDetails> organizationUsers)
     {
-        var providerUsers = await providerUserRepository.GetManyByOrganizationAsync(organizationId);
+        var userIds = organizationUsers.Where(x => x.UserId is not null)
+            .Select(x => x.UserId!.Value);
 
-        return providerUsers.Count > 0 ? _providerUsersExistErrorMessage : string.Empty;
+        return (await providerUserRepository.GetManyByManyUsersAsync(userIds)).Count != 0
+            ? _providerUsersExistErrorMessage
+            : string.Empty;
     }
 }
diff --git a/src/Core/AdminConsole/Repositories/IProviderUserRepository.cs b/src/Core/AdminConsole/Repositories/IProviderUserRepository.cs
index 7bc4125778..0a640b7530 100644
--- a/src/Core/AdminConsole/Repositories/IProviderUserRepository.cs
+++ b/src/Core/AdminConsole/Repositories/IProviderUserRepository.cs
@@ -12,6 +12,7 @@ public interface IProviderUserRepository : IRepository<ProviderUser, Guid>
     Task<int> GetCountByProviderAsync(Guid providerId, string email, bool onlyRegisteredUsers);
     Task<ICollection<ProviderUser>> GetManyAsync(IEnumerable<Guid> ids);
     Task<ICollection<ProviderUser>> GetManyByUserAsync(Guid userId);
+    Task<ICollection<ProviderUser>> GetManyByManyUsersAsync(IEnumerable<Guid> userIds);
     Task<ProviderUser?> GetByProviderUserAsync(Guid providerId, Guid userId);
     Task<ICollection<ProviderUser>> GetManyByProviderAsync(Guid providerId, ProviderUserType? type = null);
     Task<ICollection<ProviderUserUserDetails>> GetManyDetailsByProviderAsync(Guid providerId, ProviderUserStatusType? status = null);
diff --git a/src/Infrastructure.Dapper/AdminConsole/Repositories/ProviderUserRepository.cs b/src/Infrastructure.Dapper/AdminConsole/Repositories/ProviderUserRepository.cs
index 467857612f..c05ff040e5 100644
--- a/src/Infrastructure.Dapper/AdminConsole/Repositories/ProviderUserRepository.cs
+++ b/src/Infrastructure.Dapper/AdminConsole/Repositories/ProviderUserRepository.cs
@@ -61,6 +61,18 @@ public class ProviderUserRepository : Repository<ProviderUser, Guid>, IProviderU
         }
     }
 
+    public async Task<ICollection<ProviderUser>> GetManyByManyUsersAsync(IEnumerable<Guid> userIds)
+    {
+        await using var connection = new SqlConnection(ConnectionString);
+
+        var results = await connection.QueryAsync<ProviderUser>(
+            "[dbo].[ProviderUser_ReadManyByManyUserIds]",
+            new { UserIds = userIds.ToGuidIdArrayTVP() },
+            commandType: CommandType.StoredProcedure);
+
+        return results.ToList();
+    }
+
     public async Task<ProviderUser?> GetByProviderUserAsync(Guid providerId, Guid userId)
     {
         using (var connection = new SqlConnection(ConnectionString))
diff --git a/src/Infrastructure.EntityFramework/AdminConsole/Repositories/ProviderUserRepository.cs b/src/Infrastructure.EntityFramework/AdminConsole/Repositories/ProviderUserRepository.cs
index 5474e3e217..8f9a38f9b6 100644
--- a/src/Infrastructure.EntityFramework/AdminConsole/Repositories/ProviderUserRepository.cs
+++ b/src/Infrastructure.EntityFramework/AdminConsole/Repositories/ProviderUserRepository.cs
@@ -96,6 +96,20 @@ public class ProviderUserRepository :
             return await query.ToArrayAsync();
         }
     }
+
+    public async Task<ICollection<ProviderUser>> GetManyByManyUsersAsync(IEnumerable<Guid> userIds)
+    {
+        await using var scope = ServiceScopeFactory.CreateAsyncScope();
+
+        var dbContext = GetDatabaseContext(scope);
+
+        var query = from pu in dbContext.ProviderUsers
+                    where pu.UserId != null && userIds.Contains(pu.UserId.Value)
+                    select pu;
+
+        return await query.ToArrayAsync();
+    }
+
     public async Task<ProviderUser> GetByProviderUserAsync(Guid providerId, Guid userId)
     {
         using (var scope = ServiceScopeFactory.CreateScope())
diff --git a/src/Sql/dbo/Stored Procedures/ProviderUser_ReadManyByManyUserIds.sql b/src/Sql/dbo/Stored Procedures/ProviderUser_ReadManyByManyUserIds.sql
new file mode 100644
index 0000000000..4fe8d153e4
--- /dev/null
+++ b/src/Sql/dbo/Stored Procedures/ProviderUser_ReadManyByManyUserIds.sql	
@@ -0,0 +1,13 @@
+CREATE PROCEDURE [dbo].[ProviderUser_ReadManyByManyUserIds]
+    @UserIds AS [dbo].[GuidIdArray] READONLY
+AS
+BEGIN
+    SET NOCOUNT ON
+
+    SELECT
+        [pu].*
+    FROM
+        [dbo].[ProviderUserView] AS [pu]
+    INNER JOIN
+        @UserIds [u] ON [u].[Id] = [pu].[UserId]
+END
diff --git a/test/Core.Test/AdminConsole/OrganizationFeatures/Policies/PolicyValidators/AutomaticUserConfirmationPolicyEventHandlerTests.cs b/test/Core.Test/AdminConsole/OrganizationFeatures/Policies/PolicyValidators/AutomaticUserConfirmationPolicyEventHandlerTests.cs
index 4781127a3d..3c9fd9a9e9 100644
--- a/test/Core.Test/AdminConsole/OrganizationFeatures/Policies/PolicyValidators/AutomaticUserConfirmationPolicyEventHandlerTests.cs
+++ b/test/Core.Test/AdminConsole/OrganizationFeatures/Policies/PolicyValidators/AutomaticUserConfirmationPolicyEventHandlerTests.cs
@@ -21,52 +21,23 @@ namespace Bit.Core.Test.AdminConsole.OrganizationFeatures.Policies.PolicyValidat
 public class AutomaticUserConfirmationPolicyEventHandlerTests
 {
     [Theory, BitAutoData]
-    public async Task ValidateAsync_EnablingPolicy_SingleOrgNotEnabled_ReturnsError(
-        [PolicyUpdate(PolicyType.AutomaticUserConfirmation)] PolicyUpdate policyUpdate,
+    public void RequiredPolicies_IncludesSingleOrg(
         SutProvider<AutomaticUserConfirmationPolicyEventHandler> sutProvider)
     {
-        // Arrange
-        sutProvider.GetDependency<IPolicyRepository>()
-            .GetByOrganizationIdTypeAsync(policyUpdate.OrganizationId, PolicyType.SingleOrg)
-            .Returns((Policy?)null);
-
         // Act
-        var result = await sutProvider.Sut.ValidateAsync(policyUpdate, null);
+        var requiredPolicies = sutProvider.Sut.RequiredPolicies;
 
         // Assert
-        Assert.Contains("Single organization policy must be enabled", result, StringComparison.OrdinalIgnoreCase);
-    }
-
-    [Theory, BitAutoData]
-    public async Task ValidateAsync_EnablingPolicy_SingleOrgPolicyDisabled_ReturnsError(
-        [PolicyUpdate(PolicyType.AutomaticUserConfirmation)] PolicyUpdate policyUpdate,
-        [Policy(PolicyType.SingleOrg, false)] Policy singleOrgPolicy,
-        SutProvider<AutomaticUserConfirmationPolicyEventHandler> sutProvider)
-    {
-        // Arrange
-        singleOrgPolicy.OrganizationId = policyUpdate.OrganizationId;
-
-        sutProvider.GetDependency<IPolicyRepository>()
-            .GetByOrganizationIdTypeAsync(policyUpdate.OrganizationId, PolicyType.SingleOrg)
-            .Returns(singleOrgPolicy);
-
-        // Act
-        var result = await sutProvider.Sut.ValidateAsync(policyUpdate, null);
-
-        // Assert
-        Assert.Contains("Single organization policy must be enabled", result, StringComparison.OrdinalIgnoreCase);
+        Assert.Contains(PolicyType.SingleOrg, requiredPolicies);
     }
 
     [Theory, BitAutoData]
     public async Task ValidateAsync_EnablingPolicy_UsersNotCompliantWithSingleOrg_ReturnsError(
         [PolicyUpdate(PolicyType.AutomaticUserConfirmation)] PolicyUpdate policyUpdate,
-        [Policy(PolicyType.SingleOrg)] Policy singleOrgPolicy,
         Guid nonCompliantUserId,
         SutProvider<AutomaticUserConfirmationPolicyEventHandler> sutProvider)
     {
         // Arrange
-        singleOrgPolicy.OrganizationId = policyUpdate.OrganizationId;
-
         var orgUser = new OrganizationUserUserDetails
         {
             Id = Guid.NewGuid(),
@@ -85,10 +56,6 @@ public class AutomaticUserConfirmationPolicyEventHandlerTests
             Status = OrganizationUserStatusType.Confirmed
         };
 
-        sutProvider.GetDependency<IPolicyRepository>()
-            .GetByOrganizationIdTypeAsync(policyUpdate.OrganizationId, PolicyType.SingleOrg)
-            .Returns(singleOrgPolicy);
-
         sutProvider.GetDependency<IOrganizationUserRepository>()
             .GetManyDetailsByOrganizationAsync(policyUpdate.OrganizationId)
             .Returns([orgUser]);
@@ -107,13 +74,10 @@ public class AutomaticUserConfirmationPolicyEventHandlerTests
     [Theory, BitAutoData]
     public async Task ValidateAsync_EnablingPolicy_UserWithInvitedStatusInOtherOrg_ValidationPasses(
         [PolicyUpdate(PolicyType.AutomaticUserConfirmation)] PolicyUpdate policyUpdate,
-        [Policy(PolicyType.SingleOrg)] Policy singleOrgPolicy,
         Guid userId,
         SutProvider<AutomaticUserConfirmationPolicyEventHandler> sutProvider)
     {
         // Arrange
-        singleOrgPolicy.OrganizationId = policyUpdate.OrganizationId;
-
         var orgUser = new OrganizationUserUserDetails
         {
             Id = Guid.NewGuid(),
@@ -121,7 +85,6 @@ public class AutomaticUserConfirmationPolicyEventHandlerTests
             Type = OrganizationUserType.User,
             Status = OrganizationUserStatusType.Confirmed,
             UserId = userId,
-            Email = "test@email.com"
         };
 
         var otherOrgUser = new OrganizationUser
@@ -133,10 +96,6 @@ public class AutomaticUserConfirmationPolicyEventHandlerTests
             Email = orgUser.Email
         };
 
-        sutProvider.GetDependency<IPolicyRepository>()
-            .GetByOrganizationIdTypeAsync(policyUpdate.OrganizationId, PolicyType.SingleOrg)
-            .Returns(singleOrgPolicy);
-
         sutProvider.GetDependency<IOrganizationUserRepository>()
             .GetManyDetailsByOrganizationAsync(policyUpdate.OrganizationId)
             .Returns([orgUser]);
@@ -146,7 +105,7 @@ public class AutomaticUserConfirmationPolicyEventHandlerTests
             .Returns([otherOrgUser]);
 
         sutProvider.GetDependency<IProviderUserRepository>()
-            .GetManyByOrganizationAsync(policyUpdate.OrganizationId)
+            .GetManyByManyUsersAsync(Arg.Any<IEnumerable<Guid>>())
             .Returns([]);
 
         // Act
@@ -159,30 +118,37 @@ public class AutomaticUserConfirmationPolicyEventHandlerTests
     [Theory, BitAutoData]
     public async Task ValidateAsync_EnablingPolicy_ProviderUsersExist_ReturnsError(
         [PolicyUpdate(PolicyType.AutomaticUserConfirmation)] PolicyUpdate policyUpdate,
-        [Policy(PolicyType.SingleOrg)] Policy singleOrgPolicy,
+        Guid userId,
         SutProvider<AutomaticUserConfirmationPolicyEventHandler> sutProvider)
     {
         // Arrange
-        singleOrgPolicy.OrganizationId = policyUpdate.OrganizationId;
+        var orgUser = new OrganizationUserUserDetails
+        {
+            Id = Guid.NewGuid(),
+            OrganizationId = policyUpdate.OrganizationId,
+            Type = OrganizationUserType.User,
+            Status = OrganizationUserStatusType.Confirmed,
+            UserId = userId
+        };
 
         var providerUser = new ProviderUser
         {
             Id = Guid.NewGuid(),
             ProviderId = Guid.NewGuid(),
-            UserId = Guid.NewGuid(),
+            UserId = userId,
             Status = ProviderUserStatusType.Confirmed
         };
 
-        sutProvider.GetDependency<IPolicyRepository>()
-            .GetByOrganizationIdTypeAsync(policyUpdate.OrganizationId, PolicyType.SingleOrg)
-            .Returns(singleOrgPolicy);
-
         sutProvider.GetDependency<IOrganizationUserRepository>()
             .GetManyDetailsByOrganizationAsync(policyUpdate.OrganizationId)
+            .Returns([orgUser]);
+
+        sutProvider.GetDependency<IOrganizationUserRepository>()
+            .GetManyByManyUsersAsync(Arg.Any<IEnumerable<Guid>>())
             .Returns([]);
 
         sutProvider.GetDependency<IProviderUserRepository>()
-            .GetManyByOrganizationAsync(policyUpdate.OrganizationId)
+            .GetManyByManyUsersAsync(Arg.Any<IEnumerable<Guid>>())
             .Returns([providerUser]);
 
         // Act
@@ -196,26 +162,18 @@ public class AutomaticUserConfirmationPolicyEventHandlerTests
     [Theory, BitAutoData]
     public async Task ValidateAsync_EnablingPolicy_AllValidationsPassed_ReturnsEmptyString(
         [PolicyUpdate(PolicyType.AutomaticUserConfirmation)] PolicyUpdate policyUpdate,
-        [Policy(PolicyType.SingleOrg)] Policy singleOrgPolicy,
         SutProvider<AutomaticUserConfirmationPolicyEventHandler> sutProvider)
     {
         // Arrange
-        singleOrgPolicy.OrganizationId = policyUpdate.OrganizationId;
-
         var orgUser = new OrganizationUserUserDetails
         {
             Id = Guid.NewGuid(),
             OrganizationId = policyUpdate.OrganizationId,
             Type = OrganizationUserType.User,
             Status = OrganizationUserStatusType.Confirmed,
-            UserId = Guid.NewGuid(),
-            Email = "user@example.com"
+            UserId = Guid.NewGuid()
         };
 
-        sutProvider.GetDependency<IPolicyRepository>()
-            .GetByOrganizationIdTypeAsync(policyUpdate.OrganizationId, PolicyType.SingleOrg)
-            .Returns(singleOrgPolicy);
-
         sutProvider.GetDependency<IOrganizationUserRepository>()
             .GetManyDetailsByOrganizationAsync(policyUpdate.OrganizationId)
             .Returns([orgUser]);
@@ -225,7 +183,7 @@ public class AutomaticUserConfirmationPolicyEventHandlerTests
             .Returns([]);
 
         sutProvider.GetDependency<IProviderUserRepository>()
-            .GetManyByOrganizationAsync(policyUpdate.OrganizationId)
+            .GetManyByManyUsersAsync(Arg.Any<IEnumerable<Guid>>())
             .Returns([]);
 
         // Act
@@ -249,9 +207,10 @@ public class AutomaticUserConfirmationPolicyEventHandlerTests
 
         // Assert
         Assert.True(string.IsNullOrEmpty(result));
-        await sutProvider.GetDependency<IPolicyRepository>()
+
+        await sutProvider.GetDependency<IOrganizationUserRepository>()
             .DidNotReceive()
-            .GetByOrganizationIdTypeAsync(Arg.Any<Guid>(), Arg.Any<PolicyType>());
+            .GetManyDetailsByOrganizationAsync(Arg.Any<Guid>());
     }
 
     [Theory, BitAutoData]
@@ -268,21 +227,18 @@ public class AutomaticUserConfirmationPolicyEventHandlerTests
 
         // Assert
         Assert.True(string.IsNullOrEmpty(result));
-        await sutProvider.GetDependency<IPolicyRepository>()
+        await sutProvider.GetDependency<IOrganizationUserRepository>()
             .DidNotReceive()
-            .GetByOrganizationIdTypeAsync(Arg.Any<Guid>(), Arg.Any<PolicyType>());
+            .GetManyDetailsByOrganizationAsync(Arg.Any<Guid>());
     }
 
     [Theory, BitAutoData]
     public async Task ValidateAsync_EnablingPolicy_IncludesOwnersAndAdmins_InComplianceCheck(
         [PolicyUpdate(PolicyType.AutomaticUserConfirmation)] PolicyUpdate policyUpdate,
-        [Policy(PolicyType.SingleOrg)] Policy singleOrgPolicy,
         Guid nonCompliantOwnerId,
         SutProvider<AutomaticUserConfirmationPolicyEventHandler> sutProvider)
     {
         // Arrange
-        singleOrgPolicy.OrganizationId = policyUpdate.OrganizationId;
-
         var ownerUser = new OrganizationUserUserDetails
         {
             Id = Guid.NewGuid(),
@@ -290,7 +246,6 @@ public class AutomaticUserConfirmationPolicyEventHandlerTests
             Type = OrganizationUserType.Owner,
             Status = OrganizationUserStatusType.Confirmed,
             UserId = nonCompliantOwnerId,
-            Email = "owner@example.com"
         };
 
         var otherOrgUser = new OrganizationUser
@@ -301,10 +256,6 @@ public class AutomaticUserConfirmationPolicyEventHandlerTests
             Status = OrganizationUserStatusType.Confirmed
         };
 
-        sutProvider.GetDependency<IPolicyRepository>()
-            .GetByOrganizationIdTypeAsync(policyUpdate.OrganizationId, PolicyType.SingleOrg)
-            .Returns(singleOrgPolicy);
-
         sutProvider.GetDependency<IOrganizationUserRepository>()
             .GetManyDetailsByOrganizationAsync(policyUpdate.OrganizationId)
             .Returns([ownerUser]);
@@ -323,12 +274,9 @@ public class AutomaticUserConfirmationPolicyEventHandlerTests
     [Theory, BitAutoData]
     public async Task ValidateAsync_EnablingPolicy_InvitedUsersExcluded_FromComplianceCheck(
         [PolicyUpdate(PolicyType.AutomaticUserConfirmation)] PolicyUpdate policyUpdate,
-        [Policy(PolicyType.SingleOrg)] Policy singleOrgPolicy,
         SutProvider<AutomaticUserConfirmationPolicyEventHandler> sutProvider)
     {
         // Arrange
-        singleOrgPolicy.OrganizationId = policyUpdate.OrganizationId;
-
         var invitedUser = new OrganizationUserUserDetails
         {
             Id = Guid.NewGuid(),
@@ -339,16 +287,12 @@ public class AutomaticUserConfirmationPolicyEventHandlerTests
             Email = "invited@example.com"
         };
 
-        sutProvider.GetDependency<IPolicyRepository>()
-            .GetByOrganizationIdTypeAsync(policyUpdate.OrganizationId, PolicyType.SingleOrg)
-            .Returns(singleOrgPolicy);
-
         sutProvider.GetDependency<IOrganizationUserRepository>()
             .GetManyDetailsByOrganizationAsync(policyUpdate.OrganizationId)
             .Returns([invitedUser]);
 
         sutProvider.GetDependency<IProviderUserRepository>()
-            .GetManyByOrganizationAsync(policyUpdate.OrganizationId)
+            .GetManyByManyUsersAsync(Arg.Any<IEnumerable<Guid>>())
             .Returns([]);
 
         // Act
@@ -359,14 +303,11 @@ public class AutomaticUserConfirmationPolicyEventHandlerTests
     }
 
     [Theory, BitAutoData]
-    public async Task ValidateAsync_EnablingPolicy_RevokedUsersExcluded_FromComplianceCheck(
+    public async Task ValidateAsync_EnablingPolicy_RevokedUsersIncluded_InComplianceCheck(
         [PolicyUpdate(PolicyType.AutomaticUserConfirmation)] PolicyUpdate policyUpdate,
-        [Policy(PolicyType.SingleOrg)] Policy singleOrgPolicy,
         SutProvider<AutomaticUserConfirmationPolicyEventHandler> sutProvider)
     {
         // Arrange
-        singleOrgPolicy.OrganizationId = policyUpdate.OrganizationId;
-
         var revokedUser = new OrganizationUserUserDetails
         {
             Id = Guid.NewGuid(),
@@ -374,38 +315,44 @@ public class AutomaticUserConfirmationPolicyEventHandlerTests
             Type = OrganizationUserType.User,
             Status = OrganizationUserStatusType.Revoked,
             UserId = Guid.NewGuid(),
-            Email = "revoked@example.com"
         };
 
-        sutProvider.GetDependency<IPolicyRepository>()
-            .GetByOrganizationIdTypeAsync(policyUpdate.OrganizationId, PolicyType.SingleOrg)
-            .Returns(singleOrgPolicy);
+        var additionalOrgUser = new OrganizationUser
+        {
+            Id = Guid.NewGuid(),
+            OrganizationId = Guid.NewGuid(),
+            Type = OrganizationUserType.User,
+            Status = OrganizationUserStatusType.Revoked,
+            UserId = revokedUser.UserId,
+        };
 
-        sutProvider.GetDependency<IOrganizationUserRepository>()
+        var orgUserRepository = sutProvider.GetDependency<IOrganizationUserRepository>();
+
+        orgUserRepository
             .GetManyDetailsByOrganizationAsync(policyUpdate.OrganizationId)
             .Returns([revokedUser]);
 
+        orgUserRepository.GetManyByManyUsersAsync(Arg.Any<IEnumerable<Guid>>())
+            .Returns([additionalOrgUser]);
+
         sutProvider.GetDependency<IProviderUserRepository>()
-            .GetManyByOrganizationAsync(policyUpdate.OrganizationId)
+            .GetManyByManyUsersAsync(Arg.Any<IEnumerable<Guid>>())
             .Returns([]);
 
         // Act
         var result = await sutProvider.Sut.ValidateAsync(policyUpdate, null);
 
         // Assert
-        Assert.True(string.IsNullOrEmpty(result));
+        Assert.Contains("compliant with the Single organization policy", result, StringComparison.OrdinalIgnoreCase);
     }
 
     [Theory, BitAutoData]
     public async Task ValidateAsync_EnablingPolicy_AcceptedUsersIncluded_InComplianceCheck(
         [PolicyUpdate(PolicyType.AutomaticUserConfirmation)] PolicyUpdate policyUpdate,
-        [Policy(PolicyType.SingleOrg)] Policy singleOrgPolicy,
         Guid nonCompliantUserId,
         SutProvider<AutomaticUserConfirmationPolicyEventHandler> sutProvider)
     {
         // Arrange
-        singleOrgPolicy.OrganizationId = policyUpdate.OrganizationId;
-
         var acceptedUser = new OrganizationUserUserDetails
         {
             Id = Guid.NewGuid(),
@@ -413,7 +360,6 @@ public class AutomaticUserConfirmationPolicyEventHandlerTests
             Type = OrganizationUserType.User,
             Status = OrganizationUserStatusType.Accepted,
             UserId = nonCompliantUserId,
-            Email = "accepted@example.com"
         };
 
         var otherOrgUser = new OrganizationUser
@@ -424,10 +370,6 @@ public class AutomaticUserConfirmationPolicyEventHandlerTests
             Status = OrganizationUserStatusType.Confirmed
         };
 
-        sutProvider.GetDependency<IPolicyRepository>()
-            .GetByOrganizationIdTypeAsync(policyUpdate.OrganizationId, PolicyType.SingleOrg)
-            .Returns(singleOrgPolicy);
-
         sutProvider.GetDependency<IOrganizationUserRepository>()
             .GetManyDetailsByOrganizationAsync(policyUpdate.OrganizationId)
             .Returns([acceptedUser]);
@@ -443,186 +385,22 @@ public class AutomaticUserConfirmationPolicyEventHandlerTests
         Assert.Contains("compliant with the Single organization policy", result, StringComparison.OrdinalIgnoreCase);
     }
 
-    [Theory, BitAutoData]
-    public async Task ValidateAsync_EnablingPolicy_EmptyOrganization_ReturnsEmptyString(
-        [PolicyUpdate(PolicyType.AutomaticUserConfirmation)] PolicyUpdate policyUpdate,
-        [Policy(PolicyType.SingleOrg)] Policy singleOrgPolicy,
-        SutProvider<AutomaticUserConfirmationPolicyEventHandler> sutProvider)
-    {
-        // Arrange
-        singleOrgPolicy.OrganizationId = policyUpdate.OrganizationId;
-
-        sutProvider.GetDependency<IPolicyRepository>()
-            .GetByOrganizationIdTypeAsync(policyUpdate.OrganizationId, PolicyType.SingleOrg)
-            .Returns(singleOrgPolicy);
-
-        sutProvider.GetDependency<IOrganizationUserRepository>()
-            .GetManyDetailsByOrganizationAsync(policyUpdate.OrganizationId)
-            .Returns([]);
-
-        sutProvider.GetDependency<IProviderUserRepository>()
-            .GetManyByOrganizationAsync(policyUpdate.OrganizationId)
-            .Returns([]);
-
-        // Act
-        var result = await sutProvider.Sut.ValidateAsync(policyUpdate, null);
-
-        // Assert
-        Assert.True(string.IsNullOrEmpty(result));
-    }
-
     [Theory, BitAutoData]
     public async Task ValidateAsync_WithSavePolicyModel_CallsValidateWithPolicyUpdate(
         [PolicyUpdate(PolicyType.AutomaticUserConfirmation)] PolicyUpdate policyUpdate,
-        [Policy(PolicyType.SingleOrg)] Policy singleOrgPolicy,
         SutProvider<AutomaticUserConfirmationPolicyEventHandler> sutProvider)
     {
         // Arrange
-        singleOrgPolicy.OrganizationId = policyUpdate.OrganizationId;
-
         var savePolicyModel = new SavePolicyModel(policyUpdate);
 
-        sutProvider.GetDependency<IPolicyRepository>()
-            .GetByOrganizationIdTypeAsync(policyUpdate.OrganizationId, PolicyType.SingleOrg)
-            .Returns(singleOrgPolicy);
-
         sutProvider.GetDependency<IOrganizationUserRepository>()
             .GetManyDetailsByOrganizationAsync(policyUpdate.OrganizationId)
             .Returns([]);
 
-        sutProvider.GetDependency<IProviderUserRepository>()
-            .GetManyByOrganizationAsync(policyUpdate.OrganizationId)
-            .Returns([]);
-
         // Act
         var result = await sutProvider.Sut.ValidateAsync(savePolicyModel, null);
 
         // Assert
         Assert.True(string.IsNullOrEmpty(result));
     }
-
-    [Theory, BitAutoData]
-    public async Task OnSaveSideEffectsAsync_EnablingPolicy_SetsUseAutomaticUserConfirmationToTrue(
-        [PolicyUpdate(PolicyType.AutomaticUserConfirmation)] PolicyUpdate policyUpdate,
-        Organization organization,
-        SutProvider<AutomaticUserConfirmationPolicyEventHandler> sutProvider)
-    {
-        // Arrange
-        organization.Id = policyUpdate.OrganizationId;
-        organization.UseAutomaticUserConfirmation = false;
-
-        sutProvider.GetDependency<IOrganizationRepository>()
-            .GetByIdAsync(policyUpdate.OrganizationId)
-            .Returns(organization);
-
-        // Act
-        await sutProvider.Sut.OnSaveSideEffectsAsync(policyUpdate, null);
-
-        // Assert
-        await sutProvider.GetDependency<IOrganizationRepository>()
-            .Received(1)
-            .UpsertAsync(Arg.Is<Organization>(o =>
-                o.Id == organization.Id &&
-                o.UseAutomaticUserConfirmation == true &&
-                o.RevisionDate > DateTime.MinValue));
-    }
-
-    [Theory, BitAutoData]
-    public async Task OnSaveSideEffectsAsync_DisablingPolicy_SetsUseAutomaticUserConfirmationToFalse(
-        [PolicyUpdate(PolicyType.AutomaticUserConfirmation, false)] PolicyUpdate policyUpdate,
-        Organization organization,
-        SutProvider<AutomaticUserConfirmationPolicyEventHandler> sutProvider)
-    {
-        // Arrange
-        organization.Id = policyUpdate.OrganizationId;
-        organization.UseAutomaticUserConfirmation = true;
-
-        sutProvider.GetDependency<IOrganizationRepository>()
-            .GetByIdAsync(policyUpdate.OrganizationId)
-            .Returns(organization);
-
-        // Act
-        await sutProvider.Sut.OnSaveSideEffectsAsync(policyUpdate, null);
-
-        // Assert
-        await sutProvider.GetDependency<IOrganizationRepository>()
-            .Received(1)
-            .UpsertAsync(Arg.Is<Organization>(o =>
-                o.Id == organization.Id &&
-                o.UseAutomaticUserConfirmation == false &&
-                o.RevisionDate > DateTime.MinValue));
-    }
-
-    [Theory, BitAutoData]
-    public async Task OnSaveSideEffectsAsync_OrganizationNotFound_DoesNotThrowException(
-        [PolicyUpdate(PolicyType.AutomaticUserConfirmation)] PolicyUpdate policyUpdate,
-        SutProvider<AutomaticUserConfirmationPolicyEventHandler> sutProvider)
-    {
-        // Arrange
-        sutProvider.GetDependency<IOrganizationRepository>()
-            .GetByIdAsync(policyUpdate.OrganizationId)
-            .Returns((Organization?)null);
-
-        // Act
-        await sutProvider.Sut.OnSaveSideEffectsAsync(policyUpdate, null);
-
-        // Assert
-        await sutProvider.GetDependency<IOrganizationRepository>()
-            .DidNotReceive()
-            .UpsertAsync(Arg.Any<Organization>());
-    }
-
-    [Theory, BitAutoData]
-    public async Task ExecutePreUpsertSideEffectAsync_CallsOnSaveSideEffectsAsync(
-        [PolicyUpdate(PolicyType.AutomaticUserConfirmation)] PolicyUpdate policyUpdate,
-        [Policy(PolicyType.AutomaticUserConfirmation)] Policy currentPolicy,
-        Organization organization,
-        SutProvider<AutomaticUserConfirmationPolicyEventHandler> sutProvider)
-    {
-        // Arrange
-        organization.Id = policyUpdate.OrganizationId;
-        currentPolicy.OrganizationId = policyUpdate.OrganizationId;
-
-        var savePolicyModel = new SavePolicyModel(policyUpdate);
-
-        sutProvider.GetDependency<IOrganizationRepository>()
-            .GetByIdAsync(policyUpdate.OrganizationId)
-            .Returns(organization);
-
-        // Act
-        await sutProvider.Sut.ExecutePreUpsertSideEffectAsync(savePolicyModel, currentPolicy);
-
-        // Assert
-        await sutProvider.GetDependency<IOrganizationRepository>()
-            .Received(1)
-            .UpsertAsync(Arg.Is<Organization>(o =>
-                o.Id == organization.Id &&
-                o.UseAutomaticUserConfirmation == policyUpdate.Enabled));
-    }
-
-    [Theory, BitAutoData]
-    public async Task OnSaveSideEffectsAsync_UpdatesRevisionDate(
-        [PolicyUpdate(PolicyType.AutomaticUserConfirmation)] PolicyUpdate policyUpdate,
-        Organization organization,
-        SutProvider<AutomaticUserConfirmationPolicyEventHandler> sutProvider)
-    {
-        // Arrange
-        organization.Id = policyUpdate.OrganizationId;
-        var originalRevisionDate = DateTime.UtcNow.AddDays(-1);
-        organization.RevisionDate = originalRevisionDate;
-
-        sutProvider.GetDependency<IOrganizationRepository>()
-            .GetByIdAsync(policyUpdate.OrganizationId)
-            .Returns(organization);
-
-        // Act
-        await sutProvider.Sut.OnSaveSideEffectsAsync(policyUpdate, null);
-
-        // Assert
-        await sutProvider.GetDependency<IOrganizationRepository>()
-            .Received(1)
-            .UpsertAsync(Arg.Is<Organization>(o =>
-                o.Id == organization.Id &&
-                o.RevisionDate > originalRevisionDate));
-    }
 }
diff --git a/test/Infrastructure.IntegrationTest/AdminConsole/Repositories/ProviderUserRepositoryTests.cs b/test/Infrastructure.IntegrationTest/AdminConsole/Repositories/ProviderUserRepositoryTests.cs
index 0d1d28f33d..b502c6c997 100644
--- a/test/Infrastructure.IntegrationTest/AdminConsole/Repositories/ProviderUserRepositoryTests.cs
+++ b/test/Infrastructure.IntegrationTest/AdminConsole/Repositories/ProviderUserRepositoryTests.cs
@@ -89,6 +89,286 @@ public class ProviderUserRepositoryTests
         Assert.Equal(serializedSsoConfigData, orgWithSsoDetails.SsoConfig);
     }
 
+    [Theory, DatabaseData]
+    public async Task GetManyByManyUsersAsync_WithMultipleUsers_ReturnsAllProviderUsers(
+        IUserRepository userRepository,
+        IProviderRepository providerRepository,
+        IProviderUserRepository providerUserRepository)
+    {
+        var user1 = await userRepository.CreateTestUserAsync();
+        var user2 = await userRepository.CreateTestUserAsync();
+        var user3 = await userRepository.CreateTestUserAsync();
+
+        var provider1 = await providerRepository.CreateAsync(new Provider
+        {
+            Name = "Test Provider 1",
+            Enabled = true,
+            Type = ProviderType.Msp
+        });
+
+        var provider2 = await providerRepository.CreateAsync(new Provider
+        {
+            Name = "Test Provider 2",
+            Enabled = true,
+            Type = ProviderType.Reseller
+        });
+
+        var providerUser1 = await providerUserRepository.CreateAsync(new ProviderUser
+        {
+            Id = Guid.NewGuid(),
+            ProviderId = provider1.Id,
+            UserId = user1.Id,
+            Status = ProviderUserStatusType.Confirmed,
+            Type = ProviderUserType.ProviderAdmin
+        });
+
+        var providerUser2 = await providerUserRepository.CreateAsync(new ProviderUser
+        {
+            Id = Guid.NewGuid(),
+            ProviderId = provider1.Id,
+            UserId = user2.Id,
+            Status = ProviderUserStatusType.Invited,
+            Type = ProviderUserType.ServiceUser
+        });
+
+        var providerUser3 = await providerUserRepository.CreateAsync(new ProviderUser
+        {
+            Id = Guid.NewGuid(),
+            ProviderId = provider2.Id,
+            UserId = user3.Id,
+            Status = ProviderUserStatusType.Confirmed,
+            Type = ProviderUserType.ProviderAdmin
+        });
+
+        var userIds = new[] { user1.Id, user2.Id, user3.Id };
+
+        var results = (await providerUserRepository.GetManyByManyUsersAsync(userIds)).ToList();
+
+        Assert.Equal(3, results.Count);
+        Assert.Contains(results, pu => pu.Id == providerUser1.Id && pu.UserId == user1.Id);
+        Assert.Contains(results, pu => pu.Id == providerUser2.Id && pu.UserId == user2.Id);
+        Assert.Contains(results, pu => pu.Id == providerUser3.Id && pu.UserId == user3.Id);
+    }
+
+    [Theory, DatabaseData]
+    public async Task GetManyByManyUsersAsync_WithSingleUser_ReturnsSingleProviderUser(
+        IUserRepository userRepository,
+        IProviderRepository providerRepository,
+        IProviderUserRepository providerUserRepository)
+    {
+        var user = await userRepository.CreateTestUserAsync();
+
+        var provider = await providerRepository.CreateAsync(new Provider
+        {
+            Name = "Test Provider",
+            Enabled = true,
+            Type = ProviderType.Msp
+        });
+
+        var providerUser = await providerUserRepository.CreateAsync(new ProviderUser
+        {
+            Id = Guid.NewGuid(),
+            ProviderId = provider.Id,
+            UserId = user.Id,
+            Status = ProviderUserStatusType.Confirmed,
+            Type = ProviderUserType.ProviderAdmin
+        });
+
+        var results = (await providerUserRepository.GetManyByManyUsersAsync([user.Id])).ToList();
+
+        Assert.Single(results);
+        Assert.Equal(user.Id, results[0].UserId);
+        Assert.Equal(provider.Id, results[0].ProviderId);
+    }
+
+    [Theory, DatabaseData]
+    public async Task GetManyByManyUsersAsync_WithUserHavingMultipleProviders_ReturnsAllProviderUsers(
+        IUserRepository userRepository,
+        IProviderRepository providerRepository,
+        IProviderUserRepository providerUserRepository)
+    {
+        var user = await userRepository.CreateTestUserAsync();
+
+        var provider1 = await providerRepository.CreateAsync(new Provider
+        {
+            Name = "Test Provider 1",
+            Enabled = true,
+            Type = ProviderType.Msp
+        });
+
+        var provider2 = await providerRepository.CreateAsync(new Provider
+        {
+            Name = "Test Provider 2",
+            Enabled = true,
+            Type = ProviderType.Reseller
+        });
+
+        var providerUser1 = await providerUserRepository.CreateAsync(new ProviderUser
+        {
+            ProviderId = provider1.Id,
+            UserId = user.Id,
+            Status = ProviderUserStatusType.Confirmed,
+            Type = ProviderUserType.ProviderAdmin
+        });
+
+        var providerUser2 = await providerUserRepository.CreateAsync(new ProviderUser
+        {
+            ProviderId = provider2.Id,
+            UserId = user.Id,
+            Status = ProviderUserStatusType.Confirmed,
+            Type = ProviderUserType.ServiceUser
+        });
+
+        var results = (await providerUserRepository.GetManyByManyUsersAsync([user.Id])).ToList();
+
+        Assert.Equal(2, results.Count);
+        Assert.Contains(results, pu => pu.Id == providerUser1.Id);
+        Assert.Contains(results, pu => pu.Id == providerUser2.Id);
+    }
+
+    [Theory, DatabaseData]
+    public async Task GetManyByManyUsersAsync_WithEmptyUserIds_ReturnsEmpty(
+        IProviderUserRepository providerUserRepository)
+    {
+        var results = await providerUserRepository.GetManyByManyUsersAsync(Array.Empty<Guid>());
+
+        Assert.Empty(results);
+    }
+
+    [Theory, DatabaseData]
+    public async Task GetManyByManyUsersAsync_WithNonExistentUserIds_ReturnsEmpty(
+        IProviderUserRepository providerUserRepository)
+    {
+        var nonExistentUserIds = new[] { Guid.NewGuid(), Guid.NewGuid() };
+
+        var results = await providerUserRepository.GetManyByManyUsersAsync(nonExistentUserIds);
+
+        Assert.Empty(results);
+    }
+
+    [Theory, DatabaseData]
+    public async Task GetManyByManyUsersAsync_WithMixedExistentAndNonExistentUserIds_ReturnsOnlyExistent(
+        IUserRepository userRepository,
+        IProviderRepository providerRepository,
+        IProviderUserRepository providerUserRepository)
+    {
+        var existingUser = await userRepository.CreateTestUserAsync();
+
+        var provider = await providerRepository.CreateAsync(new Provider
+        {
+            Name = "Test Provider",
+            Enabled = true,
+            Type = ProviderType.Msp
+        });
+
+        var providerUser = await providerUserRepository.CreateAsync(new ProviderUser
+        {
+            ProviderId = provider.Id,
+            UserId = existingUser.Id,
+            Status = ProviderUserStatusType.Confirmed,
+            Type = ProviderUserType.ProviderAdmin
+        });
+
+        var userIds = new[] { existingUser.Id, Guid.NewGuid(), Guid.NewGuid() };
+
+        var results = (await providerUserRepository.GetManyByManyUsersAsync(userIds)).ToList();
+
+        Assert.Single(results);
+        Assert.Equal(existingUser.Id, results[0].UserId);
+    }
+
+    [Theory, DatabaseData]
+    public async Task GetManyByManyUsersAsync_ReturnsAllStatuses(
+        IUserRepository userRepository,
+        IProviderRepository providerRepository,
+        IProviderUserRepository providerUserRepository)
+    {
+        var user1 = await userRepository.CreateTestUserAsync();
+        var user2 = await userRepository.CreateTestUserAsync();
+        var user3 = await userRepository.CreateTestUserAsync();
+
+        var provider = await providerRepository.CreateAsync(new Provider
+        {
+            Name = "Test Provider",
+            Enabled = true,
+            Type = ProviderType.Msp
+        });
+
+        await providerUserRepository.CreateAsync(new ProviderUser
+        {
+            ProviderId = provider.Id,
+            UserId = user1.Id,
+            Status = ProviderUserStatusType.Invited,
+            Type = ProviderUserType.ServiceUser
+        });
+
+        await providerUserRepository.CreateAsync(new ProviderUser
+        {
+            ProviderId = provider.Id,
+            UserId = user2.Id,
+            Status = ProviderUserStatusType.Accepted,
+            Type = ProviderUserType.ServiceUser
+        });
+
+        await providerUserRepository.CreateAsync(new ProviderUser
+        {
+            ProviderId = provider.Id,
+            UserId = user3.Id,
+            Status = ProviderUserStatusType.Confirmed,
+            Type = ProviderUserType.ProviderAdmin
+        });
+
+        var userIds = new[] { user1.Id, user2.Id, user3.Id };
+
+        var results = (await providerUserRepository.GetManyByManyUsersAsync(userIds)).ToList();
+
+        Assert.Equal(3, results.Count);
+        Assert.Contains(results, pu => pu.UserId == user1.Id && pu.Status == ProviderUserStatusType.Invited);
+        Assert.Contains(results, pu => pu.UserId == user2.Id && pu.Status == ProviderUserStatusType.Accepted);
+        Assert.Contains(results, pu => pu.UserId == user3.Id && pu.Status == ProviderUserStatusType.Confirmed);
+    }
+
+    [Theory, DatabaseData]
+    public async Task GetManyByManyUsersAsync_ReturnsAllProviderUserTypes(
+        IUserRepository userRepository,
+        IProviderRepository providerRepository,
+        IProviderUserRepository providerUserRepository)
+    {
+        var user1 = await userRepository.CreateTestUserAsync();
+        var user2 = await userRepository.CreateTestUserAsync();
+
+        var provider = await providerRepository.CreateAsync(new Provider
+        {
+            Name = "Test Provider",
+            Enabled = true,
+            Type = ProviderType.Msp
+        });
+
+        await providerUserRepository.CreateAsync(new ProviderUser
+        {
+            ProviderId = provider.Id,
+            UserId = user1.Id,
+            Status = ProviderUserStatusType.Confirmed,
+            Type = ProviderUserType.ServiceUser
+        });
+
+        await providerUserRepository.CreateAsync(new ProviderUser
+        {
+            ProviderId = provider.Id,
+            UserId = user2.Id,
+            Status = ProviderUserStatusType.Confirmed,
+            Type = ProviderUserType.ProviderAdmin
+        });
+
+        var userIds = new[] { user1.Id, user2.Id };
+
+        var results = (await providerUserRepository.GetManyByManyUsersAsync(userIds)).ToList();
+
+        Assert.Equal(2, results.Count);
+        Assert.Contains(results, pu => pu.UserId == user1.Id && pu.Type == ProviderUserType.ServiceUser);
+        Assert.Contains(results, pu => pu.UserId == user2.Id && pu.Type == ProviderUserType.ProviderAdmin);
+    }
+
     private static void AssertProviderOrganizationDetails(
         ProviderUserOrganizationDetails actual,
         Organization expectedOrganization,
@@ -139,4 +419,6 @@ public class ProviderUserRepositoryTests
         Assert.Equal(expectedProviderUser.Status, actual.Status);
         Assert.Equal(expectedProviderUser.Type, actual.Type);
     }
+
+
 }
diff --git a/util/Migrator/DbScripts/2025-12-03_00_ProviderUserGetManyByUserIds.sql b/util/Migrator/DbScripts/2025-12-03_00_ProviderUserGetManyByUserIds.sql
new file mode 100644
index 0000000000..b112e02263
--- /dev/null
+++ b/util/Migrator/DbScripts/2025-12-03_00_ProviderUserGetManyByUserIds.sql
@@ -0,0 +1,13 @@
+CREATE OR ALTER PROCEDURE [dbo].[ProviderUser_ReadManyByManyUserIds]
+    @UserIds AS [dbo].[GuidIdArray] READONLY
+AS
+BEGIN
+    SET NOCOUNT ON
+
+    SELECT
+        [pu].*
+    FROM
+        [dbo].[ProviderUserView] AS [pu]
+    INNER JOIN
+        @UserIds [u] ON [u].[Id] = [pu].[UserId]
+END

From 5469d8be0e4d71c614b055296a74bf0ded31c1a8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rui=20Tom=C3=A9?=
 <108268980+r-tome@users.noreply.github.com>
Date: Fri, 5 Dec 2025 16:28:04 +0000
Subject: [PATCH 3/4] [PM-28260] Optimize bulk reinvite endpoint (#6670)

* Implement optimized bulk invite resend command

- Added IBulkResendOrganizationInvitesCommand interface to define the bulk resend operation.
- Created BulkResendOrganizationInvitesCommand class to handle the logic for resending invites to multiple organization users.
- Integrated logging and validation to ensure only valid users receive invites.
- Included error handling for non-existent organizations and invalid user statuses.

* Add unit tests for BulkResendOrganizationInvitesCommand

- Implemented comprehensive test cases for the BulkResendOrganizationInvitesCommand class.
- Validated user statuses and ensured correct handling of valid and invalid users during bulk invite resends.
- Included tests for scenarios such as organization not found and empty user lists.
- Utilized Xunit and NSubstitute for effective testing and mocking of dependencies.

* Add IBulkResendOrganizationInvitesCommand to service collection

- Registered IBulkResendOrganizationInvitesCommand in the service collection for dependency injection.

* Update OrganizationUsersController to utilize IBulkResendOrganizationInvitesCommand

- Added IBulkResendOrganizationInvitesCommand to the OrganizationUsersController for handling bulk invite resends based on feature flag.
- Updated BulkReinvite method to conditionally use the new command or the legacy service based on the feature flag status.
- Enhanced unit tests to verify correct command usage depending on feature flag state, ensuring robust testing for both scenarios.
---
 .../OrganizationUsersController.cs            |  15 ++-
 .../BulkResendOrganizationInvitesCommand.cs   |  69 +++++++++++
 .../IBulkResendOrganizationInvitesCommand.cs  |  20 ++++
 ...OrganizationServiceCollectionExtensions.cs |   1 +
 .../OrganizationUsersControllerTests.cs       |  65 ++++++++++
 ...lkResendOrganizationInvitesCommandTests.cs | 113 ++++++++++++++++++
 6 files changed, 282 insertions(+), 1 deletion(-)
 create mode 100644 src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/BulkResendOrganizationInvitesCommand.cs
 create mode 100644 src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/IBulkResendOrganizationInvitesCommand.cs
 create mode 100644 test/Core.Test/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/BulkResendOrganizationInvitesCommandTests.cs

diff --git a/src/Api/AdminConsole/Controllers/OrganizationUsersController.cs b/src/Api/AdminConsole/Controllers/OrganizationUsersController.cs
index 55b9caa550..d78c462005 100644
--- a/src/Api/AdminConsole/Controllers/OrganizationUsersController.cs
+++ b/src/Api/AdminConsole/Controllers/OrganizationUsersController.cs
@@ -71,6 +71,7 @@ public class OrganizationUsersController : BaseAdminConsoleController
     private readonly IFeatureService _featureService;
     private readonly IPricingClient _pricingClient;
     private readonly IResendOrganizationInviteCommand _resendOrganizationInviteCommand;
+    private readonly IBulkResendOrganizationInvitesCommand _bulkResendOrganizationInvitesCommand;
     private readonly IAutomaticallyConfirmOrganizationUserCommand _automaticallyConfirmOrganizationUserCommand;
     private readonly IConfirmOrganizationUserCommand _confirmOrganizationUserCommand;
     private readonly IRestoreOrganizationUserCommand _restoreOrganizationUserCommand;
@@ -105,6 +106,7 @@ public class OrganizationUsersController : BaseAdminConsoleController
         IInitPendingOrganizationCommand initPendingOrganizationCommand,
         IRevokeOrganizationUserCommand revokeOrganizationUserCommand,
         IResendOrganizationInviteCommand resendOrganizationInviteCommand,
+        IBulkResendOrganizationInvitesCommand bulkResendOrganizationInvitesCommand,
         IAdminRecoverAccountCommand adminRecoverAccountCommand,
         IAutomaticallyConfirmOrganizationUserCommand automaticallyConfirmOrganizationUserCommand)
     {
@@ -131,6 +133,7 @@ public class OrganizationUsersController : BaseAdminConsoleController
         _featureService = featureService;
         _pricingClient = pricingClient;
         _resendOrganizationInviteCommand = resendOrganizationInviteCommand;
+        _bulkResendOrganizationInvitesCommand = bulkResendOrganizationInvitesCommand;
         _automaticallyConfirmOrganizationUserCommand = automaticallyConfirmOrganizationUserCommand;
         _confirmOrganizationUserCommand = confirmOrganizationUserCommand;
         _restoreOrganizationUserCommand = restoreOrganizationUserCommand;
@@ -273,7 +276,17 @@ public class OrganizationUsersController : BaseAdminConsoleController
     public async Task<ListResponseModel<OrganizationUserBulkResponseModel>> BulkReinvite(Guid orgId, [FromBody] OrganizationUserBulkRequestModel model)
     {
         var userId = _userService.GetProperUserId(User);
-        var result = await _organizationService.ResendInvitesAsync(orgId, userId.Value, model.Ids);
+
+        IEnumerable<Tuple<Core.Entities.OrganizationUser, string>> result;
+        if (_featureService.IsEnabled(FeatureFlagKeys.IncreaseBulkReinviteLimitForCloud))
+        {
+            result = await _bulkResendOrganizationInvitesCommand.BulkResendInvitesAsync(orgId, userId.Value, model.Ids);
+        }
+        else
+        {
+            result = await _organizationService.ResendInvitesAsync(orgId, userId.Value, model.Ids);
+        }
+
         return new ListResponseModel<OrganizationUserBulkResponseModel>(
             result.Select(t => new OrganizationUserBulkResponseModel(t.Item1.Id, t.Item2)));
     }
diff --git a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/BulkResendOrganizationInvitesCommand.cs b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/BulkResendOrganizationInvitesCommand.cs
new file mode 100644
index 0000000000..c7c80bd937
--- /dev/null
+++ b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/BulkResendOrganizationInvitesCommand.cs
@@ -0,0 +1,69 @@
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Models;
+using Bit.Core.AdminConsole.Utilities.DebuggingInstruments;
+using Bit.Core.Entities;
+using Bit.Core.Enums;
+using Bit.Core.Exceptions;
+using Bit.Core.Repositories;
+using Microsoft.Extensions.Logging;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers;
+
+public class BulkResendOrganizationInvitesCommand : IBulkResendOrganizationInvitesCommand
+{
+    private readonly IOrganizationUserRepository _organizationUserRepository;
+    private readonly IOrganizationRepository _organizationRepository;
+    private readonly ISendOrganizationInvitesCommand _sendOrganizationInvitesCommand;
+    private readonly ILogger<BulkResendOrganizationInvitesCommand> _logger;
+
+    public BulkResendOrganizationInvitesCommand(
+        IOrganizationUserRepository organizationUserRepository,
+        IOrganizationRepository organizationRepository,
+        ISendOrganizationInvitesCommand sendOrganizationInvitesCommand,
+        ILogger<BulkResendOrganizationInvitesCommand> logger)
+    {
+        _organizationUserRepository = organizationUserRepository;
+        _organizationRepository = organizationRepository;
+        _sendOrganizationInvitesCommand = sendOrganizationInvitesCommand;
+        _logger = logger;
+    }
+
+    public async Task<IEnumerable<Tuple<OrganizationUser, string>>> BulkResendInvitesAsync(
+        Guid organizationId,
+        Guid? invitingUserId,
+        IEnumerable<Guid> organizationUsersId)
+    {
+        var orgUsers = await _organizationUserRepository.GetManyAsync(organizationUsersId);
+        _logger.LogUserInviteStateDiagnostics(orgUsers);
+
+        var org = await _organizationRepository.GetByIdAsync(organizationId);
+        if (org == null)
+        {
+            throw new NotFoundException();
+        }
+
+        var validUsers = new List<OrganizationUser>();
+        var result = new List<Tuple<OrganizationUser, string>>();
+
+        foreach (var orgUser in orgUsers)
+        {
+            if (orgUser.Status != OrganizationUserStatusType.Invited || orgUser.OrganizationId != organizationId)
+            {
+                result.Add(Tuple.Create(orgUser, "User invalid."));
+            }
+            else
+            {
+                validUsers.Add(orgUser);
+            }
+        }
+
+        if (validUsers.Any())
+        {
+            await _sendOrganizationInvitesCommand.SendInvitesAsync(
+                new SendInvitesRequest(validUsers, org));
+
+            result.AddRange(validUsers.Select(u => Tuple.Create(u, "")));
+        }
+
+        return result;
+    }
+}
diff --git a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/IBulkResendOrganizationInvitesCommand.cs b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/IBulkResendOrganizationInvitesCommand.cs
new file mode 100644
index 0000000000..342a06fcf9
--- /dev/null
+++ b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/IBulkResendOrganizationInvitesCommand.cs
@@ -0,0 +1,20 @@
+using Bit.Core.Entities;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers;
+
+public interface IBulkResendOrganizationInvitesCommand
+{
+    /// <summary>
+    /// Resend invites to multiple organization users in bulk.
+    /// </summary>
+    /// <param name="organizationId">The ID of the organization.</param>
+    /// <param name="invitingUserId">The ID of the user who is resending the invites.</param>
+    /// <param name="organizationUsersId">The IDs of the organization users to resend invites to.</param>
+    /// <returns>A tuple containing the OrganizationUser and an error message (empty string if successful)</returns>
+    Task<IEnumerable<Tuple<OrganizationUser, string>>> BulkResendInvitesAsync(
+        Guid organizationId,
+        Guid? invitingUserId,
+        IEnumerable<Guid> organizationUsersId);
+}
+
+
diff --git a/src/Core/OrganizationFeatures/OrganizationServiceCollectionExtensions.cs b/src/Core/OrganizationFeatures/OrganizationServiceCollectionExtensions.cs
index 91030c5151..9cb9159ebb 100644
--- a/src/Core/OrganizationFeatures/OrganizationServiceCollectionExtensions.cs
+++ b/src/Core/OrganizationFeatures/OrganizationServiceCollectionExtensions.cs
@@ -197,6 +197,7 @@ public static class OrganizationServiceCollectionExtensions
         services.AddScoped<IInviteOrganizationUsersCommand, InviteOrganizationUsersCommand>();
         services.AddScoped<ISendOrganizationInvitesCommand, SendOrganizationInvitesCommand>();
         services.AddScoped<IResendOrganizationInviteCommand, ResendOrganizationInviteCommand>();
+        services.AddScoped<IBulkResendOrganizationInvitesCommand, BulkResendOrganizationInvitesCommand>();
 
         services.AddScoped<IInviteUsersValidator, InviteOrganizationUsersValidator>();
         services.AddScoped<IInviteUsersOrganizationValidator, InviteUsersOrganizationValidator>();
diff --git a/test/Api.Test/AdminConsole/Controllers/OrganizationUsersControllerTests.cs b/test/Api.Test/AdminConsole/Controllers/OrganizationUsersControllerTests.cs
index cb03844aa2..43f0123a3f 100644
--- a/test/Api.Test/AdminConsole/Controllers/OrganizationUsersControllerTests.cs
+++ b/test/Api.Test/AdminConsole/Controllers/OrganizationUsersControllerTests.cs
@@ -11,6 +11,7 @@ using Bit.Core.AdminConsole.Models.Data.Organizations.Policies;
 using Bit.Core.AdminConsole.OrganizationFeatures.AccountRecovery;
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.AutoConfirmUser;
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Interfaces;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers;
 using Bit.Core.AdminConsole.OrganizationFeatures.Policies;
 using Bit.Core.AdminConsole.OrganizationFeatures.Policies.PolicyRequirements;
 using Bit.Core.AdminConsole.Repositories;
@@ -730,4 +731,68 @@ public class OrganizationUsersControllerTests
         var problemResult = Assert.IsType<JsonHttpResult<ErrorResponseModel>>(result);
         Assert.Equal(StatusCodes.Status500InternalServerError, problemResult.StatusCode);
     }
+
+    [Theory]
+    [BitAutoData]
+    public async Task BulkReinvite_WhenFeatureFlagEnabled_UsesBulkResendOrganizationInvitesCommand(
+        Guid organizationId,
+        OrganizationUserBulkRequestModel bulkRequestModel,
+        List<OrganizationUser> organizationUsers,
+        Guid userId,
+        SutProvider<OrganizationUsersController> sutProvider)
+    {
+        // Arrange
+        sutProvider.GetDependency<ICurrentContext>().ManageUsers(organizationId).Returns(true);
+        sutProvider.GetDependency<IUserService>().GetProperUserId(Arg.Any<ClaimsPrincipal>()).Returns(userId);
+        sutProvider.GetDependency<IFeatureService>()
+            .IsEnabled(FeatureFlagKeys.IncreaseBulkReinviteLimitForCloud)
+            .Returns(true);
+
+        var expectedResults = organizationUsers.Select(u => Tuple.Create(u, "")).ToList();
+        sutProvider.GetDependency<IBulkResendOrganizationInvitesCommand>()
+            .BulkResendInvitesAsync(organizationId, userId, bulkRequestModel.Ids)
+            .Returns(expectedResults);
+
+        // Act
+        var response = await sutProvider.Sut.BulkReinvite(organizationId, bulkRequestModel);
+
+        // Assert
+        Assert.Equal(organizationUsers.Count, response.Data.Count());
+
+        await sutProvider.GetDependency<IBulkResendOrganizationInvitesCommand>()
+            .Received(1)
+            .BulkResendInvitesAsync(organizationId, userId, bulkRequestModel.Ids);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task BulkReinvite_WhenFeatureFlagDisabled_UsesLegacyOrganizationService(
+        Guid organizationId,
+        OrganizationUserBulkRequestModel bulkRequestModel,
+        List<OrganizationUser> organizationUsers,
+        Guid userId,
+        SutProvider<OrganizationUsersController> sutProvider)
+    {
+        // Arrange
+        sutProvider.GetDependency<ICurrentContext>().ManageUsers(organizationId).Returns(true);
+        sutProvider.GetDependency<IUserService>().GetProperUserId(Arg.Any<ClaimsPrincipal>()).Returns(userId);
+        sutProvider.GetDependency<IFeatureService>()
+            .IsEnabled(FeatureFlagKeys.IncreaseBulkReinviteLimitForCloud)
+            .Returns(false);
+
+        var expectedResults = organizationUsers.Select(u => Tuple.Create(u, "")).ToList();
+        sutProvider.GetDependency<IOrganizationService>()
+            .ResendInvitesAsync(organizationId, userId, bulkRequestModel.Ids)
+            .Returns(expectedResults);
+
+        // Act
+        var response = await sutProvider.Sut.BulkReinvite(organizationId, bulkRequestModel);
+
+        // Assert
+        Assert.Equal(organizationUsers.Count, response.Data.Count());
+
+        await sutProvider.GetDependency<IOrganizationService>()
+            .Received(1)
+            .ResendInvitesAsync(organizationId, userId, bulkRequestModel.Ids);
+    }
 }
diff --git a/test/Core.Test/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/BulkResendOrganizationInvitesCommandTests.cs b/test/Core.Test/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/BulkResendOrganizationInvitesCommandTests.cs
new file mode 100644
index 0000000000..caae3a3b12
--- /dev/null
+++ b/test/Core.Test/AdminConsole/OrganizationFeatures/OrganizationUsers/InviteUsers/BulkResendOrganizationInvitesCommandTests.cs
@@ -0,0 +1,113 @@
+using Bit.Core.AdminConsole.Entities;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers.Models;
+using Bit.Core.Entities;
+using Bit.Core.Enums;
+using Bit.Core.Exceptions;
+using Bit.Core.Repositories;
+using Bit.Test.Common.AutoFixture;
+using Bit.Test.Common.AutoFixture.Attributes;
+using NSubstitute;
+using Xunit;
+
+namespace Bit.Core.Test.AdminConsole.OrganizationFeatures.OrganizationUsers.InviteUsers;
+
+[SutProviderCustomize]
+public class BulkResendOrganizationInvitesCommandTests
+{
+    [Theory]
+    [BitAutoData]
+    public async Task BulkResendInvitesAsync_ValidatesUsersAndSendsBatchInvite(
+        Organization organization,
+        OrganizationUser validUser1,
+        OrganizationUser validUser2,
+        OrganizationUser acceptedUser,
+        OrganizationUser wrongOrgUser,
+        SutProvider<BulkResendOrganizationInvitesCommand> sutProvider)
+    {
+        validUser1.OrganizationId = organization.Id;
+        validUser1.Status = OrganizationUserStatusType.Invited;
+        validUser2.OrganizationId = organization.Id;
+        validUser2.Status = OrganizationUserStatusType.Invited;
+        acceptedUser.OrganizationId = organization.Id;
+        acceptedUser.Status = OrganizationUserStatusType.Accepted;
+        wrongOrgUser.OrganizationId = Guid.NewGuid();
+        wrongOrgUser.Status = OrganizationUserStatusType.Invited;
+
+        var users = new List<OrganizationUser> { validUser1, validUser2, acceptedUser, wrongOrgUser };
+        var userIds = users.Select(u => u.Id).ToList();
+
+        sutProvider.GetDependency<IOrganizationUserRepository>().GetManyAsync(userIds).Returns(users);
+        sutProvider.GetDependency<IOrganizationRepository>().GetByIdAsync(organization.Id).Returns(organization);
+
+        var result = (await sutProvider.Sut.BulkResendInvitesAsync(organization.Id, null, userIds)).ToList();
+
+        Assert.Equal(4, result.Count);
+        Assert.Equal(2, result.Count(r => string.IsNullOrEmpty(r.Item2)));
+        Assert.Equal(2, result.Count(r => r.Item2 == "User invalid."));
+
+        await sutProvider.GetDependency<ISendOrganizationInvitesCommand>()
+            .Received(1)
+            .SendInvitesAsync(Arg.Is<SendInvitesRequest>(req =>
+                req.Organization == organization &&
+                req.Users.Length == 2 &&
+                req.InitOrganization == false));
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task BulkResendInvitesAsync_AllInvalidUsers_DoesNotSendInvites(
+        Organization organization,
+        List<OrganizationUser> organizationUsers,
+        SutProvider<BulkResendOrganizationInvitesCommand> sutProvider)
+    {
+        foreach (var user in organizationUsers)
+        {
+            user.OrganizationId = organization.Id;
+            user.Status = OrganizationUserStatusType.Confirmed;
+        }
+
+        var userIds = organizationUsers.Select(u => u.Id).ToList();
+        sutProvider.GetDependency<IOrganizationUserRepository>().GetManyAsync(userIds).Returns(organizationUsers);
+        sutProvider.GetDependency<IOrganizationRepository>().GetByIdAsync(organization.Id).Returns(organization);
+
+        var result = (await sutProvider.Sut.BulkResendInvitesAsync(organization.Id, null, userIds)).ToList();
+
+        Assert.Equal(organizationUsers.Count, result.Count);
+        Assert.All(result, r => Assert.Equal("User invalid.", r.Item2));
+        await sutProvider.GetDependency<ISendOrganizationInvitesCommand>().DidNotReceive()
+            .SendInvitesAsync(Arg.Any<SendInvitesRequest>());
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task BulkResendInvitesAsync_OrganizationNotFound_ThrowsNotFoundException(
+        Guid organizationId,
+        List<Guid> userIds,
+        List<OrganizationUser> organizationUsers,
+        SutProvider<BulkResendOrganizationInvitesCommand> sutProvider)
+    {
+        sutProvider.GetDependency<IOrganizationUserRepository>().GetManyAsync(userIds).Returns(organizationUsers);
+        sutProvider.GetDependency<IOrganizationRepository>().GetByIdAsync(organizationId).Returns((Organization?)null);
+
+        await Assert.ThrowsAsync<NotFoundException>(() =>
+            sutProvider.Sut.BulkResendInvitesAsync(organizationId, null, userIds));
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task BulkResendInvitesAsync_EmptyUserList_ReturnsEmpty(
+        Organization organization,
+        SutProvider<BulkResendOrganizationInvitesCommand> sutProvider)
+    {
+        var emptyUserIds = new List<Guid>();
+        sutProvider.GetDependency<IOrganizationUserRepository>().GetManyAsync(emptyUserIds).Returns(new List<OrganizationUser>());
+        sutProvider.GetDependency<IOrganizationRepository>().GetByIdAsync(organization.Id).Returns(organization);
+
+        var result = await sutProvider.Sut.BulkResendInvitesAsync(organization.Id, null, emptyUserIds);
+
+        Assert.Empty(result);
+        await sutProvider.GetDependency<ISendOrganizationInvitesCommand>().DidNotReceive()
+            .SendInvitesAsync(Arg.Any<SendInvitesRequest>());
+    }
+}

From d5f39eac9122ee57e9e80eb9a1487957ef681411 Mon Sep 17 00:00:00 2001
From: Ike <137194738+ike-kottlowski@users.noreply.github.com>
Date: Fri, 5 Dec 2025 11:35:37 -0500
Subject: [PATCH 4/4] [PM-28769] [PM-28768] [PM-28772] Welcome email bug fixes
 (#6644)

Fix: fix bugs reported by QA for Welcome emails
* test: add test for new plan type in welcome email

* fix: change to headStyle so styling is only included once

* fix: update MJML templates to have correct copy text

* chore: move build artifacts for updated email templates

* fix: add setting for SMTP to SSO project

* fix: update component css styling

* chore: rebuild hbs templates

* fix: using billing extension method to fetch Correct PlanType.
---
 .../src/Sso/appsettings.Development.json      |  8 ++-
 bitwarden_license/src/Sso/appsettings.json    |  6 +-
 .../Implementations/RegisterUserCommand.cs    |  5 +-
 .../Onboarding/welcome-family-user.html.hbs   | 65 ++++++++++---------
 .../welcome-individual-user.html.hbs          | 63 +++++++++---------
 .../Auth/Onboarding/welcome-org-user.html.hbs | 65 ++++++++++---------
 .../Mjml/components/mj-bw-icon-row.js         | 18 ++---
 .../Auth/Onboarding/welcome-family-user.mjml  |  2 +-
 .../Onboarding/welcome-individual-user.mjml   |  2 +-
 .../Auth/Onboarding/welcome-org-user.mjml     |  2 +-
 .../Registration/RegisterUserCommandTests.cs  |  1 +
 11 files changed, 131 insertions(+), 106 deletions(-)

diff --git a/bitwarden_license/src/Sso/appsettings.Development.json b/bitwarden_license/src/Sso/appsettings.Development.json
index 6d9ec77815..8e24d82528 100644
--- a/bitwarden_license/src/Sso/appsettings.Development.json
+++ b/bitwarden_license/src/Sso/appsettings.Development.json
@@ -25,6 +25,12 @@
       "connectionString": "UseDevelopmentStorage=true"
     },
     "developmentDirectory": "../../../dev",
-    "pricingUri": "https://billingpricing.qa.bitwarden.pw"
+    "pricingUri": "https://billingpricing.qa.bitwarden.pw",
+    "mail": {
+      "smtp": {
+        "host": "localhost",
+        "port": 10250
+      }
+    }
   }
 }
diff --git a/bitwarden_license/src/Sso/appsettings.json b/bitwarden_license/src/Sso/appsettings.json
index 73c85044cc..9a5df42f7f 100644
--- a/bitwarden_license/src/Sso/appsettings.json
+++ b/bitwarden_license/src/Sso/appsettings.json
@@ -13,7 +13,11 @@
     "mail": {
       "sendGridApiKey": "SECRET",
       "amazonConfigSetName": "Email",
-      "replyToEmail": "no-reply@bitwarden.com"
+      "replyToEmail": "no-reply@bitwarden.com",
+      "smtp": {
+        "host": "localhost",
+        "port": 10250
+      }
     },
     "identityServer": {
       "certificateThumbprint": "SECRET"
diff --git a/src/Core/Auth/UserFeatures/Registration/Implementations/RegisterUserCommand.cs b/src/Core/Auth/UserFeatures/Registration/Implementations/RegisterUserCommand.cs
index baeb24368e..be85a858a3 100644
--- a/src/Core/Auth/UserFeatures/Registration/Implementations/RegisterUserCommand.cs
+++ b/src/Core/Auth/UserFeatures/Registration/Implementations/RegisterUserCommand.cs
@@ -5,6 +5,7 @@ using Bit.Core.Auth.Enums;
 using Bit.Core.Auth.Models;
 using Bit.Core.Auth.Models.Business.Tokenables;
 using Bit.Core.Billing.Enums;
+using Bit.Core.Billing.Extensions;
 using Bit.Core.Entities;
 using Bit.Core.Exceptions;
 using Bit.Core.OrganizationFeatures.OrganizationSponsorships.FamiliesForEnterprise.Interfaces;
@@ -455,9 +456,7 @@ public class RegisterUserCommand : IRegisterUserCommand
         else if (!string.IsNullOrEmpty(organization.DisplayName()))
         {
             // If the organization is Free or Families plan, send families welcome email
-            if (organization.PlanType is PlanType.FamiliesAnnually
-                or PlanType.FamiliesAnnually2019
-                or PlanType.Free)
+            if (organization.PlanType.GetProductTier() is ProductTierType.Free or ProductTierType.Families)
             {
                 await _mailService.SendFreeOrgOrFamilyOrgUserWelcomeEmailAsync(user, organization.DisplayName());
             }
diff --git a/src/Core/MailTemplates/Handlebars/MJML/Auth/Onboarding/welcome-family-user.html.hbs b/src/Core/MailTemplates/Handlebars/MJML/Auth/Onboarding/welcome-family-user.html.hbs
index 3cbc9446c8..9c4b2406d4 100644
--- a/src/Core/MailTemplates/Handlebars/MJML/Auth/Onboarding/welcome-family-user.html.hbs
+++ b/src/Core/MailTemplates/Handlebars/MJML/Auth/Onboarding/welcome-family-user.html.hbs
@@ -53,11 +53,37 @@
     
     <style type="text/css">
 
+      @media only screen and (max-width:480px) {
+        .mj-bw-hero-responsive-img {
+          display: none !important;
+        }
+      }
+    
+
+      @media only screen and (max-width:480px) {
+        .mj-bw-learn-more-footer-responsive-img {
+          display: none !important;
+        }
+      }
+    
+
     @media only screen and (max-width:479px) {
       table.mj-full-width-mobile { width: 100% !important; }
       td.mj-full-width-mobile { width: auto !important; }
     }
   
+
+      @media only screen and (max-width:480px) {
+        .mj-bw-icon-row-text {
+          padding-left: 5px !important;
+          line-height: 20px;
+        }
+        .mj-bw-icon-row {
+          padding: 10px 15px;
+          width: fit-content !important;
+        }
+      }
+    
     </style>
      
     <style type="text/css">
@@ -67,29 +93,8 @@
   .border-fix > table > tbody > tr > td {
     border-radius: 3px;
   }
-@media only screen and (max-width: 480px) {
-    .hide-small-img {
-      display: none !important;
-    }
-    .send-bubble {
-      padding-left: 20px;
-      padding-right: 20px;
-      width: 90% !important;
-    }
-  }
-@media only screen and (max-width: 480px) {
-    .mj-bw-icon-row-text {
-      padding-left: 5px !important;
-      line-height: 20px;
-    }
-    .mj-bw-icon-row {
-      padding: 10px 15px;
-      width: fit-content !important;
-    }
-  }
     </style>
-    <!-- Responsive icon visibility -->
-<!-- Responsive styling for mj-bw-icon-row -->
+    
   </head>
   <body style="word-spacing:normal;background-color:#e6e9ef;">
     
@@ -156,7 +161,7 @@
             </h1>
             <mj-text color="#fff" padding-top="0" padding-bottom="0">
             <h2 style="font-weight: normal; font-size: 16px; line-height: 0px">
-              Let's get set up to autofill.
+              Let’s get you set up to autofill.
             </h2>
           </mj-text></div>
     
@@ -176,7 +181,7 @@
         <tbody>
           
               <tr>
-                <td align="center" class="hide-small-img" style="font-size:0px;padding:0px;word-break:break-word;">
+                <td align="center" class="mj-bw-hero-responsive-img" style="font-size:0px;padding:0px;word-break:break-word;">
                   
       <table border="0" cellpadding="0" cellspacing="0" role="presentation" style="border-collapse:collapse;border-spacing:0px;">
         <tbody>
@@ -256,7 +261,7 @@
               <tr>
                 <td align="left" style="font-size:0px;padding:10px 15px;word-break:break-word;">
                   
-      <div style="font-family:'Helvetica Neue', Helvetica, Arial, sans-serif;font-size:16px;line-height:24px;text-align:left;color:#1B2029;">A <b>{{OrganizationName}}</b> administrator will approve you
+      <div style="font-family:'Helvetica Neue', Helvetica, Arial, sans-serif;font-size:16px;line-height:24px;text-align:left;color:#1B2029;">An administrator from <b>{{OrganizationName}}</b> will approve you
             before you can share passwords. While you wait for approval, get
             started with Bitwarden Password Manager:</div>
     
@@ -622,10 +627,10 @@
                 <td align="left" style="font-size:0px;padding:10px 25px;word-break:break-word;">
                   
       <div style="font-family:'Helvetica Neue', Helvetica, Arial, sans-serif;font-size:16px;line-height:24px;text-align:left;color:#1B2029;"><p style="font-size: 18px; line-height: 28px; font-weight: bold;">
-        Learn more about Bitwarden
-      </p>
-      Find user guides, product documentation, and videos on the
-      <a href="https://bitwarden.com/help/" class="link" style="text-decoration: none; color: #175ddc; font-weight: 600;"> Bitwarden Help Center</a>.</div>
+              Learn more about Bitwarden
+            </p>
+            Find user guides, product documentation, and videos on the
+            <a href="https://bitwarden.com/help/" class="link" style="text-decoration: none; color: #175ddc; font-weight: 600;"> Bitwarden Help Center</a>.</div>
     
                 </td>
               </tr>
@@ -643,7 +648,7 @@
         <tbody>
           
               <tr>
-                <td align="center" class="hide-small-img" style="font-size:0px;padding:10px 25px;word-break:break-word;">
+                <td align="center" class="mj-bw-learn-more-footer-responsive-img" style="font-size:0px;padding:10px 25px;word-break:break-word;">
                   
       <table border="0" cellpadding="0" cellspacing="0" role="presentation" style="border-collapse:collapse;border-spacing:0px;">
         <tbody>
diff --git a/src/Core/MailTemplates/Handlebars/MJML/Auth/Onboarding/welcome-individual-user.html.hbs b/src/Core/MailTemplates/Handlebars/MJML/Auth/Onboarding/welcome-individual-user.html.hbs
index d77542bfb6..d0a4e7e0a4 100644
--- a/src/Core/MailTemplates/Handlebars/MJML/Auth/Onboarding/welcome-individual-user.html.hbs
+++ b/src/Core/MailTemplates/Handlebars/MJML/Auth/Onboarding/welcome-individual-user.html.hbs
@@ -53,11 +53,37 @@
     
     <style type="text/css">
 
+      @media only screen and (max-width:480px) {
+        .mj-bw-hero-responsive-img {
+          display: none !important;
+        }
+      }
+    
+
+      @media only screen and (max-width:480px) {
+        .mj-bw-learn-more-footer-responsive-img {
+          display: none !important;
+        }
+      }
+    
+
     @media only screen and (max-width:479px) {
       table.mj-full-width-mobile { width: 100% !important; }
       td.mj-full-width-mobile { width: auto !important; }
     }
   
+
+      @media only screen and (max-width:480px) {
+        .mj-bw-icon-row-text {
+          padding-left: 5px !important;
+          line-height: 20px;
+        }
+        .mj-bw-icon-row {
+          padding: 10px 15px;
+          width: fit-content !important;
+        }
+      }
+    
     </style>
      
     <style type="text/css">
@@ -67,29 +93,8 @@
   .border-fix > table > tbody > tr > td {
     border-radius: 3px;
   }
-@media only screen and (max-width: 480px) {
-    .hide-small-img {
-      display: none !important;
-    }
-    .send-bubble {
-      padding-left: 20px;
-      padding-right: 20px;
-      width: 90% !important;
-    }
-  }
-@media only screen and (max-width: 480px) {
-    .mj-bw-icon-row-text {
-      padding-left: 5px !important;
-      line-height: 20px;
-    }
-    .mj-bw-icon-row {
-      padding: 10px 15px;
-      width: fit-content !important;
-    }
-  }
     </style>
-    <!-- Responsive icon visibility -->
-<!-- Responsive styling for mj-bw-icon-row -->
+    
   </head>
   <body style="word-spacing:normal;background-color:#e6e9ef;">
     
@@ -156,7 +161,7 @@
             </h1>
             <mj-text color="#fff" padding-top="0" padding-bottom="0">
             <h2 style="font-weight: normal; font-size: 16px; line-height: 0px">
-              Let's get set up to autofill.
+              Let’s get you set up to autofill.
             </h2>
           </mj-text></div>
     
@@ -176,7 +181,7 @@
         <tbody>
           
               <tr>
-                <td align="center" class="hide-small-img" style="font-size:0px;padding:0px;word-break:break-word;">
+                <td align="center" class="mj-bw-hero-responsive-img" style="font-size:0px;padding:0px;word-break:break-word;">
                   
       <table border="0" cellpadding="0" cellspacing="0" role="presentation" style="border-collapse:collapse;border-spacing:0px;">
         <tbody>
@@ -621,10 +626,10 @@
                 <td align="left" style="font-size:0px;padding:10px 25px;word-break:break-word;">
                   
       <div style="font-family:'Helvetica Neue', Helvetica, Arial, sans-serif;font-size:16px;line-height:24px;text-align:left;color:#1B2029;"><p style="font-size: 18px; line-height: 28px; font-weight: bold;">
-        Learn more about Bitwarden
-      </p>
-      Find user guides, product documentation, and videos on the
-      <a href="https://bitwarden.com/help/" class="link" style="text-decoration: none; color: #175ddc; font-weight: 600;"> Bitwarden Help Center</a>.</div>
+              Learn more about Bitwarden
+            </p>
+            Find user guides, product documentation, and videos on the
+            <a href="https://bitwarden.com/help/" class="link" style="text-decoration: none; color: #175ddc; font-weight: 600;"> Bitwarden Help Center</a>.</div>
     
                 </td>
               </tr>
@@ -642,7 +647,7 @@
         <tbody>
           
               <tr>
-                <td align="center" class="hide-small-img" style="font-size:0px;padding:10px 25px;word-break:break-word;">
+                <td align="center" class="mj-bw-learn-more-footer-responsive-img" style="font-size:0px;padding:10px 25px;word-break:break-word;">
                   
       <table border="0" cellpadding="0" cellspacing="0" role="presentation" style="border-collapse:collapse;border-spacing:0px;">
         <tbody>
diff --git a/src/Core/MailTemplates/Handlebars/MJML/Auth/Onboarding/welcome-org-user.html.hbs b/src/Core/MailTemplates/Handlebars/MJML/Auth/Onboarding/welcome-org-user.html.hbs
index 2b1141caad..439fed4b0a 100644
--- a/src/Core/MailTemplates/Handlebars/MJML/Auth/Onboarding/welcome-org-user.html.hbs
+++ b/src/Core/MailTemplates/Handlebars/MJML/Auth/Onboarding/welcome-org-user.html.hbs
@@ -53,11 +53,37 @@
     
     <style type="text/css">
 
+      @media only screen and (max-width:480px) {
+        .mj-bw-hero-responsive-img {
+          display: none !important;
+        }
+      }
+    
+
+      @media only screen and (max-width:480px) {
+        .mj-bw-learn-more-footer-responsive-img {
+          display: none !important;
+        }
+      }
+    
+
     @media only screen and (max-width:479px) {
       table.mj-full-width-mobile { width: 100% !important; }
       td.mj-full-width-mobile { width: auto !important; }
     }
   
+
+      @media only screen and (max-width:480px) {
+        .mj-bw-icon-row-text {
+          padding-left: 5px !important;
+          line-height: 20px;
+        }
+        .mj-bw-icon-row {
+          padding: 10px 15px;
+          width: fit-content !important;
+        }
+      }
+    
     </style>
      
     <style type="text/css">
@@ -67,29 +93,8 @@
   .border-fix > table > tbody > tr > td {
     border-radius: 3px;
   }
-@media only screen and (max-width: 480px) {
-    .hide-small-img {
-      display: none !important;
-    }
-    .send-bubble {
-      padding-left: 20px;
-      padding-right: 20px;
-      width: 90% !important;
-    }
-  }
-@media only screen and (max-width: 480px) {
-    .mj-bw-icon-row-text {
-      padding-left: 5px !important;
-      line-height: 20px;
-    }
-    .mj-bw-icon-row {
-      padding: 10px 15px;
-      width: fit-content !important;
-    }
-  }
     </style>
-    <!-- Responsive icon visibility -->
-<!-- Responsive styling for mj-bw-icon-row -->
+    
   </head>
   <body style="word-spacing:normal;background-color:#e6e9ef;">
     
@@ -156,7 +161,7 @@
             </h1>
             <mj-text color="#fff" padding-top="0" padding-bottom="0">
             <h2 style="font-weight: normal; font-size: 16px; line-height: 0px">
-              Let's get set up to autofill.
+              Let’s get you set up to autofill.
             </h2>
           </mj-text></div>
     
@@ -176,7 +181,7 @@
         <tbody>
           
               <tr>
-                <td align="center" class="hide-small-img" style="font-size:0px;padding:0px;word-break:break-word;">
+                <td align="center" class="mj-bw-hero-responsive-img" style="font-size:0px;padding:0px;word-break:break-word;">
                   
       <table border="0" cellpadding="0" cellspacing="0" role="presentation" style="border-collapse:collapse;border-spacing:0px;">
         <tbody>
@@ -256,7 +261,7 @@
               <tr>
                 <td align="left" style="font-size:0px;padding:10px 15px;word-break:break-word;">
                   
-      <div style="font-family:'Helvetica Neue', Helvetica, Arial, sans-serif;font-size:16px;line-height:24px;text-align:left;color:#1B2029;">A <b>{{OrganizationName}}</b> administrator will need to confirm
+      <div style="font-family:'Helvetica Neue', Helvetica, Arial, sans-serif;font-size:16px;line-height:24px;text-align:left;color:#1B2029;">An administrator from <b>{{OrganizationName}}</b> will need to confirm
             you before you can share passwords. Get started with Bitwarden
             Password Manager:</div>
     
@@ -622,10 +627,10 @@
                 <td align="left" style="font-size:0px;padding:10px 25px;word-break:break-word;">
                   
       <div style="font-family:'Helvetica Neue', Helvetica, Arial, sans-serif;font-size:16px;line-height:24px;text-align:left;color:#1B2029;"><p style="font-size: 18px; line-height: 28px; font-weight: bold;">
-        Learn more about Bitwarden
-      </p>
-      Find user guides, product documentation, and videos on the
-      <a href="https://bitwarden.com/help/" class="link" style="text-decoration: none; color: #175ddc; font-weight: 600;"> Bitwarden Help Center</a>.</div>
+              Learn more about Bitwarden
+            </p>
+            Find user guides, product documentation, and videos on the
+            <a href="https://bitwarden.com/help/" class="link" style="text-decoration: none; color: #175ddc; font-weight: 600;"> Bitwarden Help Center</a>.</div>
     
                 </td>
               </tr>
@@ -643,7 +648,7 @@
         <tbody>
           
               <tr>
-                <td align="center" class="hide-small-img" style="font-size:0px;padding:10px 25px;word-break:break-word;">
+                <td align="center" class="mj-bw-learn-more-footer-responsive-img" style="font-size:0px;padding:10px 25px;word-break:break-word;">
                   
       <table border="0" cellpadding="0" cellspacing="0" role="presentation" style="border-collapse:collapse;border-spacing:0px;">
         <tbody>
diff --git a/src/Core/MailTemplates/Mjml/components/mj-bw-icon-row.js b/src/Core/MailTemplates/Mjml/components/mj-bw-icon-row.js
index f7f402c96e..c4d3b5da01 100644
--- a/src/Core/MailTemplates/Mjml/components/mj-bw-icon-row.js
+++ b/src/Core/MailTemplates/Mjml/components/mj-bw-icon-row.js
@@ -18,16 +18,16 @@ class MjBwIconRow extends BodyComponent {
 
   static defaultAttributes = {};
 
-  componentHeadStyle = (breakpoint) => {
+  headStyle = (breakpoint) => {
     return `
-      @media only screen and (max-width:${breakpoint}): {
-        ".mj-bw-icon-row-text": {
-          padding-left: "5px !important",
-          line-height: "20px",
-        },
-        ".mj-bw-icon-row": {
-          padding: "10px 15px",
-          width: "fit-content !important",
+      @media only screen and (max-width:${breakpoint}) {
+        .mj-bw-icon-row-text {
+          padding-left: 5px !important;
+          line-height: 20px;
+        }
+        .mj-bw-icon-row {
+          padding: 10px 15px;
+          width: fit-content !important;
         }
       }
     `;
diff --git a/src/Core/MailTemplates/Mjml/emails/Auth/Onboarding/welcome-family-user.mjml b/src/Core/MailTemplates/Mjml/emails/Auth/Onboarding/welcome-family-user.mjml
index 86de49016d..7c81a700f2 100644
--- a/src/Core/MailTemplates/Mjml/emails/Auth/Onboarding/welcome-family-user.mjml
+++ b/src/Core/MailTemplates/Mjml/emails/Auth/Onboarding/welcome-family-user.mjml
@@ -9,7 +9,7 @@
       <mj-bw-hero
         img-src="https://assets.bitwarden.com/email/v1/account-fill.png"
         title="Welcome to Bitwarden!"
-        sub-title="Let's get set up to autofill."
+        sub-title="Let’s get you set up to autofill."
       />
     </mj-wrapper>
 
diff --git a/src/Core/MailTemplates/Mjml/emails/Auth/Onboarding/welcome-individual-user.mjml b/src/Core/MailTemplates/Mjml/emails/Auth/Onboarding/welcome-individual-user.mjml
index e071cd26cc..4fc9bc466a 100644
--- a/src/Core/MailTemplates/Mjml/emails/Auth/Onboarding/welcome-individual-user.mjml
+++ b/src/Core/MailTemplates/Mjml/emails/Auth/Onboarding/welcome-individual-user.mjml
@@ -9,7 +9,7 @@
       <mj-bw-hero
         img-src="https://assets.bitwarden.com/email/v1/account-fill.png"
         title="Welcome to Bitwarden!"
-        sub-title="Let's get set up to autofill."
+        sub-title="Let’s get you set up to autofill."
       />
     </mj-wrapper>
 
diff --git a/src/Core/MailTemplates/Mjml/emails/Auth/Onboarding/welcome-org-user.mjml b/src/Core/MailTemplates/Mjml/emails/Auth/Onboarding/welcome-org-user.mjml
index 39f18fce66..7b8a03dc7e 100644
--- a/src/Core/MailTemplates/Mjml/emails/Auth/Onboarding/welcome-org-user.mjml
+++ b/src/Core/MailTemplates/Mjml/emails/Auth/Onboarding/welcome-org-user.mjml
@@ -9,7 +9,7 @@
       <mj-bw-hero
         img-src="https://assets.bitwarden.com/email/v1/account-fill.png"
         title="Welcome to Bitwarden!"
-        sub-title="Let's get set up to autofill."
+        sub-title="Let’s get you set up to autofill."
       />
     </mj-wrapper>
 
diff --git a/test/Core.Test/Auth/UserFeatures/Registration/RegisterUserCommandTests.cs b/test/Core.Test/Auth/UserFeatures/Registration/RegisterUserCommandTests.cs
index f40eea636c..92a3f3fb10 100644
--- a/test/Core.Test/Auth/UserFeatures/Registration/RegisterUserCommandTests.cs
+++ b/test/Core.Test/Auth/UserFeatures/Registration/RegisterUserCommandTests.cs
@@ -1017,6 +1017,7 @@ public class RegisterUserCommandTests
     [Theory]
     [BitAutoData(PlanType.FamiliesAnnually)]
     [BitAutoData(PlanType.FamiliesAnnually2019)]
+    [BitAutoData(PlanType.FamiliesAnnually2025)]
     [BitAutoData(PlanType.Free)]
     public async Task SendWelcomeEmail_FamilyOrg_SendsFamilyWelcomeEmail(
         PlanType planType,