[PM-26377] Add Auto Confirm Policy (#6552)

* First pass at adding Automatic User Confirmation Policy.
* Adding edge case tests. Adding side effect of updating organization feature. Removing account recovery restriction from validation.
* Added implementation for the vnext save
* Added documentation to different event types with remarks. Updated IPolicyValidator xml docs.

src/Core/AdminConsole/OrganizationFeatures/Policies/IPolicyValidator.cs

@@ -9,6 +9,10 @@ namespace Bit.Core.AdminConsole.OrganizationFeatures.Policies;
 /// <summary>
 /// Defines behavior and functionality for a given PolicyType.
 /// </summary>
+/// <remarks>
+/// All methods defined in this interface are for the PolicyService#SavePolicy method. This needs to be supported until
+/// we successfully refactor policy validators over to policy validation handlers
+/// </remarks>
 public interface IPolicyValidator
 {
     /// <summary>

src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyServiceCollectionExtensions.cs

@@ -53,6 +53,7 @@ public static class PolicyServiceCollectionExtensions
         services.AddScoped<IPolicyUpdateEvent, FreeFamiliesForEnterprisePolicyValidator>();
         services.AddScoped<IPolicyUpdateEvent, OrganizationDataOwnershipPolicyValidator>();
         services.AddScoped<IPolicyUpdateEvent, UriMatchDefaultPolicyValidator>();
+        services.AddScoped<IPolicyUpdateEvent, AutomaticUserConfirmationPolicyEventHandler>();
     }
 
     private static void AddPolicyRequirements(this IServiceCollection services)

src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyUpdateEvents/Interfaces/IEnforceDependentPoliciesEvent.cs

@@ -2,6 +2,13 @@
 
 namespace Bit.Core.AdminConsole.OrganizationFeatures.Policies.PolicyUpdateEvents.Interfaces;
 
+/// <summary>
+/// Represents all policies required to be enabled before the given policy can be enabled.
+/// </summary>
+/// <remarks>
+/// This interface is intended for policy event handlers that mandate the activation of other policies
+/// as prerequisites for enabling the associated policy.
+/// </remarks>
 public interface IEnforceDependentPoliciesEvent : IPolicyUpdateEvent
 {
     /// <summary>

src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyUpdateEvents/Interfaces/IOnPolicyPreUpdateEvent.cs

@@ -3,6 +3,12 @@ using Bit.Core.AdminConsole.OrganizationFeatures.Policies.Models;
 
 namespace Bit.Core.AdminConsole.OrganizationFeatures.Policies.PolicyUpdateEvents.Interfaces;
 
+/// <summary>
+/// Represents all side effects that should be executed before a policy is upserted.
+/// </summary>
+/// <remarks>
+/// This should be added to policy handlers that need to perform side effects before policy upserts.
+/// </remarks>
 public interface IOnPolicyPreUpdateEvent : IPolicyUpdateEvent
 {
     /// <summary>

src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyUpdateEvents/Interfaces/IPolicyUpdateEvent.cs

@@ -2,6 +2,12 @@
 
 namespace Bit.Core.AdminConsole.OrganizationFeatures.Policies.PolicyUpdateEvents.Interfaces;
 
+/// <summary>
+/// Represents the policy to be upserted.
+/// </summary>
+/// <remarks>
+/// This is used for the VNextSavePolicyCommand. All policy handlers should implement this interface.
+/// </remarks>
 public interface IPolicyUpdateEvent
 {
     /// <summary>

src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyUpdateEvents/Interfaces/IPolicyValidationEvent.cs

@@ -3,12 +3,17 @@ using Bit.Core.AdminConsole.OrganizationFeatures.Policies.Models;
 
 namespace Bit.Core.AdminConsole.OrganizationFeatures.Policies.PolicyUpdateEvents.Interfaces;
 
+/// <summary>
+/// Represents all validations that need to be run to enable or disable the given policy.
+/// </summary>
+/// <remarks>
+/// This is used for the VNextSavePolicyCommand. This optional but should be implemented for all policies that have
+/// certain requirements for the given organization.
+/// </remarks>
 public interface IPolicyValidationEvent : IPolicyUpdateEvent
 {
     /// <summary>
-    /// Performs side effects after a policy is validated but before it is saved.
+    /// Performs any validations required to enable or disable the policy.
-    /// For example, this can be used to remove non-compliant users from the organization.
-    /// Implementation is optional; by default, it will not perform any side effects.
     /// </summary>
     /// <param name="policyRequest">The policy save request containing the policy update and metadata</param>
     /// <param name="currentPolicy">The current policy, if any</param>

src/Core/AdminConsole/OrganizationFeatures/Policies/PolicyValidators/AutomaticUserConfirmationPolicyEventHandler.cs

@@ -0,0 +1,131 @@
+using Bit.Core.AdminConsole.Entities;
+using Bit.Core.AdminConsole.Enums;
+using Bit.Core.AdminConsole.OrganizationFeatures.Policies.Models;
+using Bit.Core.AdminConsole.OrganizationFeatures.Policies.PolicyUpdateEvents.Interfaces;
+using Bit.Core.AdminConsole.Repositories;
+using Bit.Core.Enums;
+using Bit.Core.Repositories;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.Policies.PolicyValidators;
+
+/// <summary>
+/// Represents an event handler for the Automatic User Confirmation policy.
+///
+/// This class validates that the following conditions are met:
+/// <ul>
+///     <li>The Single organization policy is enabled</li>
+///     <li>All organization users are compliant with the Single organization policy</li>
+///     <li>No provider users exist</li>
+/// </ul>
+///
+/// This class also performs side effects when the policy is being enabled or disabled. They are:
+/// <ul>
+///     <li>Sets the UseAutomaticUserConfirmation organization feature to match the policy update</li>
+/// </ul>
+/// </summary>
+public class AutomaticUserConfirmationPolicyEventHandler(
+    IOrganizationUserRepository organizationUserRepository,
+    IProviderUserRepository providerUserRepository,
+    IPolicyRepository policyRepository,
+    IOrganizationRepository organizationRepository,
+    TimeProvider timeProvider)
+    : IPolicyValidator, IPolicyValidationEvent, IOnPolicyPreUpdateEvent, IEnforceDependentPoliciesEvent
+{
+    public PolicyType Type => PolicyType.AutomaticUserConfirmation;
+    public async Task ExecutePreUpsertSideEffectAsync(SavePolicyModel policyRequest, Policy? currentPolicy) =>
+        await OnSaveSideEffectsAsync(policyRequest.PolicyUpdate, currentPolicy);
+
+    private const string _singleOrgPolicyNotEnabledErrorMessage =
+        "The Single organization policy must be enabled before enabling the Automatically confirm invited users policy.";
+
+    private const string _usersNotCompliantWithSingleOrgErrorMessage =
+        "All organization users must be compliant with the Single organization policy before enabling the Automatically confirm invited users policy. Please remove users who are members of multiple organizations.";
+
+    private const string _providerUsersExistErrorMessage =
+        "The organization has users with the Provider user type. Please remove provider users before enabling the Automatically confirm invited users policy.";
+
+    public IEnumerable<PolicyType> RequiredPolicies => [PolicyType.SingleOrg];
+
+    public async Task<string> ValidateAsync(PolicyUpdate policyUpdate, Policy? currentPolicy)
+    {
+        var isNotEnablingPolicy = policyUpdate is not { Enabled: true };
+        var policyAlreadyEnabled = currentPolicy is { Enabled: true };
+        if (isNotEnablingPolicy || policyAlreadyEnabled)
+        {
+            return string.Empty;
+        }
+
+        return await ValidateEnablingPolicyAsync(policyUpdate.OrganizationId);
+    }
+
+    public async Task<string> ValidateAsync(SavePolicyModel savePolicyModel, Policy? currentPolicy) =>
+        await ValidateAsync(savePolicyModel.PolicyUpdate, currentPolicy);
+
+    public async Task OnSaveSideEffectsAsync(PolicyUpdate policyUpdate, Policy? currentPolicy)
+    {
+        var organization = await organizationRepository.GetByIdAsync(policyUpdate.OrganizationId);
+
+        if (organization is not null)
+        {
+            organization.UseAutomaticUserConfirmation = policyUpdate.Enabled;
+            organization.RevisionDate = timeProvider.GetUtcNow().UtcDateTime;
+            await organizationRepository.UpsertAsync(organization);
+        }
+    }
+
+    private async Task<string> ValidateEnablingPolicyAsync(Guid organizationId)
+    {
+        var singleOrgValidationError = await ValidateSingleOrgPolicyComplianceAsync(organizationId);
+        if (!string.IsNullOrWhiteSpace(singleOrgValidationError))
+        {
+            return singleOrgValidationError;
+        }
+
+        var providerValidationError = await ValidateNoProviderUsersAsync(organizationId);
+        if (!string.IsNullOrWhiteSpace(providerValidationError))
+        {
+            return providerValidationError;
+        }
+
+        return string.Empty;
+    }
+
+    private async Task<string> ValidateSingleOrgPolicyComplianceAsync(Guid organizationId)
+    {
+        var singleOrgPolicy = await policyRepository.GetByOrganizationIdTypeAsync(organizationId, PolicyType.SingleOrg);
+        if (singleOrgPolicy is not { Enabled: true })
+        {
+            return _singleOrgPolicyNotEnabledErrorMessage;
+        }
+
+        return await ValidateUserComplianceWithSingleOrgAsync(organizationId);
+    }
+
+    private async Task<string> ValidateUserComplianceWithSingleOrgAsync(Guid organizationId)
+    {
+        var organizationUsers = (await organizationUserRepository.GetManyDetailsByOrganizationAsync(organizationId))
+            .Where(ou => ou.Status != OrganizationUserStatusType.Invited &&
+                         ou.Status != OrganizationUserStatusType.Revoked &&
+                         ou.UserId.HasValue)
+            .ToList();
+
+        if (organizationUsers.Count == 0)
+        {
+            return string.Empty;
+        }
+
+        var hasNonCompliantUser = (await organizationUserRepository.GetManyByManyUsersAsync(
+                organizationUsers.Select(ou => ou.UserId!.Value)))
+            .Any(uo => uo.OrganizationId != organizationId &&
+                       uo.Status != OrganizationUserStatusType.Invited);
+
+        return hasNonCompliantUser ? _usersNotCompliantWithSingleOrgErrorMessage : string.Empty;
+    }
+
+    private async Task<string> ValidateNoProviderUsersAsync(Guid organizationId)
+    {
+        var providerUsers = await providerUserRepository.GetManyByOrganizationAsync(organizationId);
+
+        return providerUsers.Count > 0 ? _providerUsersExistErrorMessage : string.Empty;
+    }
+}

test/Core.Test/AdminConsole/OrganizationFeatures/Policies/PolicyValidators/AutomaticUserConfirmationPolicyEventHandlerTests.cs

@@ -0,0 +1,628 @@
+using Bit.Core.AdminConsole.Entities;
+using Bit.Core.AdminConsole.Entities.Provider;
+using Bit.Core.AdminConsole.Enums;
+using Bit.Core.AdminConsole.Enums.Provider;
+using Bit.Core.AdminConsole.OrganizationFeatures.Policies.Models;
+using Bit.Core.AdminConsole.OrganizationFeatures.Policies.PolicyValidators;
+using Bit.Core.AdminConsole.Repositories;
+using Bit.Core.Entities;
+using Bit.Core.Enums;
+using Bit.Core.Models.Data.Organizations.OrganizationUsers;
+using Bit.Core.Repositories;
+using Bit.Core.Test.AdminConsole.AutoFixture;
+using Bit.Test.Common.AutoFixture;
+using Bit.Test.Common.AutoFixture.Attributes;
+using NSubstitute;
+using Xunit;
+
+namespace Bit.Core.Test.AdminConsole.OrganizationFeatures.Policies.PolicyValidators;
+
+[SutProviderCustomize]
+public class AutomaticUserConfirmationPolicyEventHandlerTests
+{
+    [Theory, BitAutoData]
+    public async Task ValidateAsync_EnablingPolicy_SingleOrgNotEnabled_ReturnsError(
+        [PolicyUpdate(PolicyType.AutomaticUserConfirmation)] PolicyUpdate policyUpdate,
+        SutProvider<AutomaticUserConfirmationPolicyEventHandler> sutProvider)
+    {
+        // Arrange
+        sutProvider.GetDependency<IPolicyRepository>()
+            .GetByOrganizationIdTypeAsync(policyUpdate.OrganizationId, PolicyType.SingleOrg)
+            .Returns((Policy?)null);
+
+        // Act
+        var result = await sutProvider.Sut.ValidateAsync(policyUpdate, null);
+
+        // Assert
+        Assert.Contains("Single organization policy must be enabled", result, StringComparison.OrdinalIgnoreCase);
+    }
+
+    [Theory, BitAutoData]
+    public async Task ValidateAsync_EnablingPolicy_SingleOrgPolicyDisabled_ReturnsError(
+        [PolicyUpdate(PolicyType.AutomaticUserConfirmation)] PolicyUpdate policyUpdate,
+        [Policy(PolicyType.SingleOrg, false)] Policy singleOrgPolicy,
+        SutProvider<AutomaticUserConfirmationPolicyEventHandler> sutProvider)
+    {
+        // Arrange
+        singleOrgPolicy.OrganizationId = policyUpdate.OrganizationId;
+
+        sutProvider.GetDependency<IPolicyRepository>()
+            .GetByOrganizationIdTypeAsync(policyUpdate.OrganizationId, PolicyType.SingleOrg)
+            .Returns(singleOrgPolicy);
+
+        // Act
+        var result = await sutProvider.Sut.ValidateAsync(policyUpdate, null);
+
+        // Assert
+        Assert.Contains("Single organization policy must be enabled", result, StringComparison.OrdinalIgnoreCase);
+    }
+
+    [Theory, BitAutoData]
+    public async Task ValidateAsync_EnablingPolicy_UsersNotCompliantWithSingleOrg_ReturnsError(
+        [PolicyUpdate(PolicyType.AutomaticUserConfirmation)] PolicyUpdate policyUpdate,
+        [Policy(PolicyType.SingleOrg)] Policy singleOrgPolicy,
+        Guid nonCompliantUserId,
+        SutProvider<AutomaticUserConfirmationPolicyEventHandler> sutProvider)
+    {
+        // Arrange
+        singleOrgPolicy.OrganizationId = policyUpdate.OrganizationId;
+
+        var orgUser = new OrganizationUserUserDetails
+        {
+            Id = Guid.NewGuid(),
+            OrganizationId = policyUpdate.OrganizationId,
+            Type = OrganizationUserType.User,
+            Status = OrganizationUserStatusType.Confirmed,
+            UserId = nonCompliantUserId,
+            Email = "user@example.com"
+        };
+
+        var otherOrgUser = new OrganizationUser
+        {
+            Id = Guid.NewGuid(),
+            OrganizationId = Guid.NewGuid(),
+            UserId = nonCompliantUserId,
+            Status = OrganizationUserStatusType.Confirmed
+        };
+
+        sutProvider.GetDependency<IPolicyRepository>()
+            .GetByOrganizationIdTypeAsync(policyUpdate.OrganizationId, PolicyType.SingleOrg)
+            .Returns(singleOrgPolicy);
+
+        sutProvider.GetDependency<IOrganizationUserRepository>()
+            .GetManyDetailsByOrganizationAsync(policyUpdate.OrganizationId)
+            .Returns([orgUser]);
+
+        sutProvider.GetDependency<IOrganizationUserRepository>()
+            .GetManyByManyUsersAsync(Arg.Any<IEnumerable<Guid>>())
+            .Returns([otherOrgUser]);
+
+        // Act
+        var result = await sutProvider.Sut.ValidateAsync(policyUpdate, null);
+
+        // Assert
+        Assert.Contains("compliant with the Single organization policy", result, StringComparison.OrdinalIgnoreCase);
+    }
+
+    [Theory, BitAutoData]
+    public async Task ValidateAsync_EnablingPolicy_UserWithInvitedStatusInOtherOrg_ValidationPasses(
+        [PolicyUpdate(PolicyType.AutomaticUserConfirmation)] PolicyUpdate policyUpdate,
+        [Policy(PolicyType.SingleOrg)] Policy singleOrgPolicy,
+        Guid userId,
+        SutProvider<AutomaticUserConfirmationPolicyEventHandler> sutProvider)
+    {
+        // Arrange
+        singleOrgPolicy.OrganizationId = policyUpdate.OrganizationId;
+
+        var orgUser = new OrganizationUserUserDetails
+        {
+            Id = Guid.NewGuid(),
+            OrganizationId = policyUpdate.OrganizationId,
+            Type = OrganizationUserType.User,
+            Status = OrganizationUserStatusType.Confirmed,
+            UserId = userId,
+            Email = "test@email.com"
+        };
+
+        var otherOrgUser = new OrganizationUser
+        {
+            Id = Guid.NewGuid(),
+            OrganizationId = Guid.NewGuid(),
+            UserId = null, // invited users do not have a user id
+            Status = OrganizationUserStatusType.Invited,
+            Email = orgUser.Email
+        };
+
+        sutProvider.GetDependency<IPolicyRepository>()
+            .GetByOrganizationIdTypeAsync(policyUpdate.OrganizationId, PolicyType.SingleOrg)
+            .Returns(singleOrgPolicy);
+
+        sutProvider.GetDependency<IOrganizationUserRepository>()
+            .GetManyDetailsByOrganizationAsync(policyUpdate.OrganizationId)
+            .Returns([orgUser]);
+
+        sutProvider.GetDependency<IOrganizationUserRepository>()
+            .GetManyByManyUsersAsync(Arg.Any<IEnumerable<Guid>>())
+            .Returns([otherOrgUser]);
+
+        sutProvider.GetDependency<IProviderUserRepository>()
+            .GetManyByOrganizationAsync(policyUpdate.OrganizationId)
+            .Returns([]);
+
+        // Act
+        var result = await sutProvider.Sut.ValidateAsync(policyUpdate, null);
+
+        // Assert
+        Assert.True(string.IsNullOrEmpty(result));
+    }
+
+    [Theory, BitAutoData]
+    public async Task ValidateAsync_EnablingPolicy_ProviderUsersExist_ReturnsError(
+        [PolicyUpdate(PolicyType.AutomaticUserConfirmation)] PolicyUpdate policyUpdate,
+        [Policy(PolicyType.SingleOrg)] Policy singleOrgPolicy,
+        SutProvider<AutomaticUserConfirmationPolicyEventHandler> sutProvider)
+    {
+        // Arrange
+        singleOrgPolicy.OrganizationId = policyUpdate.OrganizationId;
+
+        var providerUser = new ProviderUser
+        {
+            Id = Guid.NewGuid(),
+            ProviderId = Guid.NewGuid(),
+            UserId = Guid.NewGuid(),
+            Status = ProviderUserStatusType.Confirmed
+        };
+
+        sutProvider.GetDependency<IPolicyRepository>()
+            .GetByOrganizationIdTypeAsync(policyUpdate.OrganizationId, PolicyType.SingleOrg)
+            .Returns(singleOrgPolicy);
+
+        sutProvider.GetDependency<IOrganizationUserRepository>()
+            .GetManyDetailsByOrganizationAsync(policyUpdate.OrganizationId)
+            .Returns([]);
+
+        sutProvider.GetDependency<IProviderUserRepository>()
+            .GetManyByOrganizationAsync(policyUpdate.OrganizationId)
+            .Returns([providerUser]);
+
+        // Act
+        var result = await sutProvider.Sut.ValidateAsync(policyUpdate, null);
+
+        // Assert
+        Assert.Contains("Provider user type", result, StringComparison.OrdinalIgnoreCase);
+    }
+
+
+    [Theory, BitAutoData]
+    public async Task ValidateAsync_EnablingPolicy_AllValidationsPassed_ReturnsEmptyString(
+        [PolicyUpdate(PolicyType.AutomaticUserConfirmation)] PolicyUpdate policyUpdate,
+        [Policy(PolicyType.SingleOrg)] Policy singleOrgPolicy,
+        SutProvider<AutomaticUserConfirmationPolicyEventHandler> sutProvider)
+    {
+        // Arrange
+        singleOrgPolicy.OrganizationId = policyUpdate.OrganizationId;
+
+        var orgUser = new OrganizationUserUserDetails
+        {
+            Id = Guid.NewGuid(),
+            OrganizationId = policyUpdate.OrganizationId,
+            Type = OrganizationUserType.User,
+            Status = OrganizationUserStatusType.Confirmed,
+            UserId = Guid.NewGuid(),
+            Email = "user@example.com"
+        };
+
+        sutProvider.GetDependency<IPolicyRepository>()
+            .GetByOrganizationIdTypeAsync(policyUpdate.OrganizationId, PolicyType.SingleOrg)
+            .Returns(singleOrgPolicy);
+
+        sutProvider.GetDependency<IOrganizationUserRepository>()
+            .GetManyDetailsByOrganizationAsync(policyUpdate.OrganizationId)
+            .Returns([orgUser]);
+
+        sutProvider.GetDependency<IOrganizationUserRepository>()
+            .GetManyByManyUsersAsync(Arg.Any<IEnumerable<Guid>>())
+            .Returns([]);
+
+        sutProvider.GetDependency<IProviderUserRepository>()
+            .GetManyByOrganizationAsync(policyUpdate.OrganizationId)
+            .Returns([]);
+
+        // Act
+        var result = await sutProvider.Sut.ValidateAsync(policyUpdate, null);
+
+        // Assert
+        Assert.True(string.IsNullOrEmpty(result));
+    }
+
+    [Theory, BitAutoData]
+    public async Task ValidateAsync_PolicyAlreadyEnabled_ReturnsEmptyString(
+        [PolicyUpdate(PolicyType.AutomaticUserConfirmation)] PolicyUpdate policyUpdate,
+        [Policy(PolicyType.AutomaticUserConfirmation)] Policy currentPolicy,
+        SutProvider<AutomaticUserConfirmationPolicyEventHandler> sutProvider)
+    {
+        // Arrange
+        currentPolicy.OrganizationId = policyUpdate.OrganizationId;
+
+        // Act
+        var result = await sutProvider.Sut.ValidateAsync(policyUpdate, currentPolicy);
+
+        // Assert
+        Assert.True(string.IsNullOrEmpty(result));
+        await sutProvider.GetDependency<IPolicyRepository>()
+            .DidNotReceive()
+            .GetByOrganizationIdTypeAsync(Arg.Any<Guid>(), Arg.Any<PolicyType>());
+    }
+
+    [Theory, BitAutoData]
+    public async Task ValidateAsync_DisablingPolicy_ReturnsEmptyString(
+        [PolicyUpdate(PolicyType.AutomaticUserConfirmation, false)] PolicyUpdate policyUpdate,
+        [Policy(PolicyType.AutomaticUserConfirmation)] Policy currentPolicy,
+        SutProvider<AutomaticUserConfirmationPolicyEventHandler> sutProvider)
+    {
+        // Arrange
+        currentPolicy.OrganizationId = policyUpdate.OrganizationId;
+
+        // Act
+        var result = await sutProvider.Sut.ValidateAsync(policyUpdate, currentPolicy);
+
+        // Assert
+        Assert.True(string.IsNullOrEmpty(result));
+        await sutProvider.GetDependency<IPolicyRepository>()
+            .DidNotReceive()
+            .GetByOrganizationIdTypeAsync(Arg.Any<Guid>(), Arg.Any<PolicyType>());
+    }
+
+    [Theory, BitAutoData]
+    public async Task ValidateAsync_EnablingPolicy_IncludesOwnersAndAdmins_InComplianceCheck(
+        [PolicyUpdate(PolicyType.AutomaticUserConfirmation)] PolicyUpdate policyUpdate,
+        [Policy(PolicyType.SingleOrg)] Policy singleOrgPolicy,
+        Guid nonCompliantOwnerId,
+        SutProvider<AutomaticUserConfirmationPolicyEventHandler> sutProvider)
+    {
+        // Arrange
+        singleOrgPolicy.OrganizationId = policyUpdate.OrganizationId;
+
+        var ownerUser = new OrganizationUserUserDetails
+        {
+            Id = Guid.NewGuid(),
+            OrganizationId = policyUpdate.OrganizationId,
+            Type = OrganizationUserType.Owner,
+            Status = OrganizationUserStatusType.Confirmed,
+            UserId = nonCompliantOwnerId,
+            Email = "owner@example.com"
+        };
+
+        var otherOrgUser = new OrganizationUser
+        {
+            Id = Guid.NewGuid(),
+            OrganizationId = Guid.NewGuid(),
+            UserId = nonCompliantOwnerId,
+            Status = OrganizationUserStatusType.Confirmed
+        };
+
+        sutProvider.GetDependency<IPolicyRepository>()
+            .GetByOrganizationIdTypeAsync(policyUpdate.OrganizationId, PolicyType.SingleOrg)
+            .Returns(singleOrgPolicy);
+
+        sutProvider.GetDependency<IOrganizationUserRepository>()
+            .GetManyDetailsByOrganizationAsync(policyUpdate.OrganizationId)
+            .Returns([ownerUser]);
+
+        sutProvider.GetDependency<IOrganizationUserRepository>()
+            .GetManyByManyUsersAsync(Arg.Any<IEnumerable<Guid>>())
+            .Returns([otherOrgUser]);
+
+        // Act
+        var result = await sutProvider.Sut.ValidateAsync(policyUpdate, null);
+
+        // Assert
+        Assert.Contains("compliant with the Single organization policy", result, StringComparison.OrdinalIgnoreCase);
+    }
+
+    [Theory, BitAutoData]
+    public async Task ValidateAsync_EnablingPolicy_InvitedUsersExcluded_FromComplianceCheck(
+        [PolicyUpdate(PolicyType.AutomaticUserConfirmation)] PolicyUpdate policyUpdate,
+        [Policy(PolicyType.SingleOrg)] Policy singleOrgPolicy,
+        SutProvider<AutomaticUserConfirmationPolicyEventHandler> sutProvider)
+    {
+        // Arrange
+        singleOrgPolicy.OrganizationId = policyUpdate.OrganizationId;
+
+        var invitedUser = new OrganizationUserUserDetails
+        {
+            Id = Guid.NewGuid(),
+            OrganizationId = policyUpdate.OrganizationId,
+            Type = OrganizationUserType.User,
+            Status = OrganizationUserStatusType.Invited,
+            UserId = Guid.NewGuid(),
+            Email = "invited@example.com"
+        };
+
+        sutProvider.GetDependency<IPolicyRepository>()
+            .GetByOrganizationIdTypeAsync(policyUpdate.OrganizationId, PolicyType.SingleOrg)
+            .Returns(singleOrgPolicy);
+
+        sutProvider.GetDependency<IOrganizationUserRepository>()
+            .GetManyDetailsByOrganizationAsync(policyUpdate.OrganizationId)
+            .Returns([invitedUser]);
+
+        sutProvider.GetDependency<IProviderUserRepository>()
+            .GetManyByOrganizationAsync(policyUpdate.OrganizationId)
+            .Returns([]);
+
+        // Act
+        var result = await sutProvider.Sut.ValidateAsync(policyUpdate, null);
+
+        // Assert
+        Assert.True(string.IsNullOrEmpty(result));
+    }
+
+    [Theory, BitAutoData]
+    public async Task ValidateAsync_EnablingPolicy_RevokedUsersExcluded_FromComplianceCheck(
+        [PolicyUpdate(PolicyType.AutomaticUserConfirmation)] PolicyUpdate policyUpdate,
+        [Policy(PolicyType.SingleOrg)] Policy singleOrgPolicy,
+        SutProvider<AutomaticUserConfirmationPolicyEventHandler> sutProvider)
+    {
+        // Arrange
+        singleOrgPolicy.OrganizationId = policyUpdate.OrganizationId;
+
+        var revokedUser = new OrganizationUserUserDetails
+        {
+            Id = Guid.NewGuid(),
+            OrganizationId = policyUpdate.OrganizationId,
+            Type = OrganizationUserType.User,
+            Status = OrganizationUserStatusType.Revoked,
+            UserId = Guid.NewGuid(),
+            Email = "revoked@example.com"
+        };
+
+        sutProvider.GetDependency<IPolicyRepository>()
+            .GetByOrganizationIdTypeAsync(policyUpdate.OrganizationId, PolicyType.SingleOrg)
+            .Returns(singleOrgPolicy);
+
+        sutProvider.GetDependency<IOrganizationUserRepository>()
+            .GetManyDetailsByOrganizationAsync(policyUpdate.OrganizationId)
+            .Returns([revokedUser]);
+
+        sutProvider.GetDependency<IProviderUserRepository>()
+            .GetManyByOrganizationAsync(policyUpdate.OrganizationId)
+            .Returns([]);
+
+        // Act
+        var result = await sutProvider.Sut.ValidateAsync(policyUpdate, null);
+
+        // Assert
+        Assert.True(string.IsNullOrEmpty(result));
+    }
+
+    [Theory, BitAutoData]
+    public async Task ValidateAsync_EnablingPolicy_AcceptedUsersIncluded_InComplianceCheck(
+        [PolicyUpdate(PolicyType.AutomaticUserConfirmation)] PolicyUpdate policyUpdate,
+        [Policy(PolicyType.SingleOrg)] Policy singleOrgPolicy,
+        Guid nonCompliantUserId,
+        SutProvider<AutomaticUserConfirmationPolicyEventHandler> sutProvider)
+    {
+        // Arrange
+        singleOrgPolicy.OrganizationId = policyUpdate.OrganizationId;
+
+        var acceptedUser = new OrganizationUserUserDetails
+        {
+            Id = Guid.NewGuid(),
+            OrganizationId = policyUpdate.OrganizationId,
+            Type = OrganizationUserType.User,
+            Status = OrganizationUserStatusType.Accepted,
+            UserId = nonCompliantUserId,
+            Email = "accepted@example.com"
+        };
+
+        var otherOrgUser = new OrganizationUser
+        {
+            Id = Guid.NewGuid(),
+            OrganizationId = Guid.NewGuid(),
+            UserId = nonCompliantUserId,
+            Status = OrganizationUserStatusType.Confirmed
+        };
+
+        sutProvider.GetDependency<IPolicyRepository>()
+            .GetByOrganizationIdTypeAsync(policyUpdate.OrganizationId, PolicyType.SingleOrg)
+            .Returns(singleOrgPolicy);
+
+        sutProvider.GetDependency<IOrganizationUserRepository>()
+            .GetManyDetailsByOrganizationAsync(policyUpdate.OrganizationId)
+            .Returns([acceptedUser]);
+
+        sutProvider.GetDependency<IOrganizationUserRepository>()
+            .GetManyByManyUsersAsync(Arg.Any<IEnumerable<Guid>>())
+            .Returns([otherOrgUser]);
+
+        // Act
+        var result = await sutProvider.Sut.ValidateAsync(policyUpdate, null);
+
+        // Assert
+        Assert.Contains("compliant with the Single organization policy", result, StringComparison.OrdinalIgnoreCase);
+    }
+
+    [Theory, BitAutoData]
+    public async Task ValidateAsync_EnablingPolicy_EmptyOrganization_ReturnsEmptyString(
+        [PolicyUpdate(PolicyType.AutomaticUserConfirmation)] PolicyUpdate policyUpdate,
+        [Policy(PolicyType.SingleOrg)] Policy singleOrgPolicy,
+        SutProvider<AutomaticUserConfirmationPolicyEventHandler> sutProvider)
+    {
+        // Arrange
+        singleOrgPolicy.OrganizationId = policyUpdate.OrganizationId;
+
+        sutProvider.GetDependency<IPolicyRepository>()
+            .GetByOrganizationIdTypeAsync(policyUpdate.OrganizationId, PolicyType.SingleOrg)
+            .Returns(singleOrgPolicy);
+
+        sutProvider.GetDependency<IOrganizationUserRepository>()
+            .GetManyDetailsByOrganizationAsync(policyUpdate.OrganizationId)
+            .Returns([]);
+
+        sutProvider.GetDependency<IProviderUserRepository>()
+            .GetManyByOrganizationAsync(policyUpdate.OrganizationId)
+            .Returns([]);
+
+        // Act
+        var result = await sutProvider.Sut.ValidateAsync(policyUpdate, null);
+
+        // Assert
+        Assert.True(string.IsNullOrEmpty(result));
+    }
+
+    [Theory, BitAutoData]
+    public async Task ValidateAsync_WithSavePolicyModel_CallsValidateWithPolicyUpdate(
+        [PolicyUpdate(PolicyType.AutomaticUserConfirmation)] PolicyUpdate policyUpdate,
+        [Policy(PolicyType.SingleOrg)] Policy singleOrgPolicy,
+        SutProvider<AutomaticUserConfirmationPolicyEventHandler> sutProvider)
+    {
+        // Arrange
+        singleOrgPolicy.OrganizationId = policyUpdate.OrganizationId;
+
+        var savePolicyModel = new SavePolicyModel(policyUpdate);
+
+        sutProvider.GetDependency<IPolicyRepository>()
+            .GetByOrganizationIdTypeAsync(policyUpdate.OrganizationId, PolicyType.SingleOrg)
+            .Returns(singleOrgPolicy);
+
+        sutProvider.GetDependency<IOrganizationUserRepository>()
+            .GetManyDetailsByOrganizationAsync(policyUpdate.OrganizationId)
+            .Returns([]);
+
+        sutProvider.GetDependency<IProviderUserRepository>()
+            .GetManyByOrganizationAsync(policyUpdate.OrganizationId)
+            .Returns([]);
+
+        // Act
+        var result = await sutProvider.Sut.ValidateAsync(savePolicyModel, null);
+
+        // Assert
+        Assert.True(string.IsNullOrEmpty(result));
+    }
+
+    [Theory, BitAutoData]
+    public async Task OnSaveSideEffectsAsync_EnablingPolicy_SetsUseAutomaticUserConfirmationToTrue(
+        [PolicyUpdate(PolicyType.AutomaticUserConfirmation)] PolicyUpdate policyUpdate,
+        Organization organization,
+        SutProvider<AutomaticUserConfirmationPolicyEventHandler> sutProvider)
+    {
+        // Arrange
+        organization.Id = policyUpdate.OrganizationId;
+        organization.UseAutomaticUserConfirmation = false;
+
+        sutProvider.GetDependency<IOrganizationRepository>()
+            .GetByIdAsync(policyUpdate.OrganizationId)
+            .Returns(organization);
+
+        // Act
+        await sutProvider.Sut.OnSaveSideEffectsAsync(policyUpdate, null);
+
+        // Assert
+        await sutProvider.GetDependency<IOrganizationRepository>()
+            .Received(1)
+            .UpsertAsync(Arg.Is<Organization>(o =>
+                o.Id == organization.Id &&
+                o.UseAutomaticUserConfirmation == true &&
+                o.RevisionDate > DateTime.MinValue));
+    }
+
+    [Theory, BitAutoData]
+    public async Task OnSaveSideEffectsAsync_DisablingPolicy_SetsUseAutomaticUserConfirmationToFalse(
+        [PolicyUpdate(PolicyType.AutomaticUserConfirmation, false)] PolicyUpdate policyUpdate,
+        Organization organization,
+        SutProvider<AutomaticUserConfirmationPolicyEventHandler> sutProvider)
+    {
+        // Arrange
+        organization.Id = policyUpdate.OrganizationId;
+        organization.UseAutomaticUserConfirmation = true;
+
+        sutProvider.GetDependency<IOrganizationRepository>()
+            .GetByIdAsync(policyUpdate.OrganizationId)
+            .Returns(organization);
+
+        // Act
+        await sutProvider.Sut.OnSaveSideEffectsAsync(policyUpdate, null);
+
+        // Assert
+        await sutProvider.GetDependency<IOrganizationRepository>()
+            .Received(1)
+            .UpsertAsync(Arg.Is<Organization>(o =>
+                o.Id == organization.Id &&
+                o.UseAutomaticUserConfirmation == false &&
+                o.RevisionDate > DateTime.MinValue));
+    }
+
+    [Theory, BitAutoData]
+    public async Task OnSaveSideEffectsAsync_OrganizationNotFound_DoesNotThrowException(
+        [PolicyUpdate(PolicyType.AutomaticUserConfirmation)] PolicyUpdate policyUpdate,
+        SutProvider<AutomaticUserConfirmationPolicyEventHandler> sutProvider)
+    {
+        // Arrange
+        sutProvider.GetDependency<IOrganizationRepository>()
+            .GetByIdAsync(policyUpdate.OrganizationId)
+            .Returns((Organization?)null);
+
+        // Act
+        await sutProvider.Sut.OnSaveSideEffectsAsync(policyUpdate, null);
+
+        // Assert
+        await sutProvider.GetDependency<IOrganizationRepository>()
+            .DidNotReceive()
+            .UpsertAsync(Arg.Any<Organization>());
+    }
+
+    [Theory, BitAutoData]
+    public async Task ExecutePreUpsertSideEffectAsync_CallsOnSaveSideEffectsAsync(
+        [PolicyUpdate(PolicyType.AutomaticUserConfirmation)] PolicyUpdate policyUpdate,
+        [Policy(PolicyType.AutomaticUserConfirmation)] Policy currentPolicy,
+        Organization organization,
+        SutProvider<AutomaticUserConfirmationPolicyEventHandler> sutProvider)
+    {
+        // Arrange
+        organization.Id = policyUpdate.OrganizationId;
+        currentPolicy.OrganizationId = policyUpdate.OrganizationId;
+
+        var savePolicyModel = new SavePolicyModel(policyUpdate);
+
+        sutProvider.GetDependency<IOrganizationRepository>()
+            .GetByIdAsync(policyUpdate.OrganizationId)
+            .Returns(organization);
+
+        // Act
+        await sutProvider.Sut.ExecutePreUpsertSideEffectAsync(savePolicyModel, currentPolicy);
+
+        // Assert
+        await sutProvider.GetDependency<IOrganizationRepository>()
+            .Received(1)
+            .UpsertAsync(Arg.Is<Organization>(o =>
+                o.Id == organization.Id &&
+                o.UseAutomaticUserConfirmation == policyUpdate.Enabled));
+    }
+
+    [Theory, BitAutoData]
+    public async Task OnSaveSideEffectsAsync_UpdatesRevisionDate(
+        [PolicyUpdate(PolicyType.AutomaticUserConfirmation)] PolicyUpdate policyUpdate,
+        Organization organization,
+        SutProvider<AutomaticUserConfirmationPolicyEventHandler> sutProvider)
+    {
+        // Arrange
+        organization.Id = policyUpdate.OrganizationId;
+        var originalRevisionDate = DateTime.UtcNow.AddDays(-1);
+        organization.RevisionDate = originalRevisionDate;
+
+        sutProvider.GetDependency<IOrganizationRepository>()
+            .GetByIdAsync(policyUpdate.OrganizationId)
+            .Returns(organization);
+
+        // Act
+        await sutProvider.Sut.OnSaveSideEffectsAsync(policyUpdate, null);
+
+        // Assert
+        await sutProvider.GetDependency<IOrganizationRepository>()
+            .Received(1)
+            .UpsertAsync(Arg.Is<Organization>(o =>
+                o.Id == organization.Id &&
+                o.RevisionDate > originalRevisionDate));
+    }
+}