diff --git a/bitwarden_license/src/Portal/Models/ResetPasswordDataModel.cs b/src/Core/Models/Data/ResetPasswordDataModel.cs
similarity index 87%
rename from bitwarden_license/src/Portal/Models/ResetPasswordDataModel.cs
rename to src/Core/Models/Data/ResetPasswordDataModel.cs
index 583c413b3..359b74d64 100644
--- a/bitwarden_license/src/Portal/Models/ResetPasswordDataModel.cs
+++ b/src/Core/Models/Data/ResetPasswordDataModel.cs
@@ -1,6 +1,6 @@
 using System.ComponentModel.DataAnnotations;
 
-namespace Bit.Portal.Models
+namespace Bit.Core.Models.Data
 {
     public class ResetPasswordDataModel
     {
diff --git a/src/Core/Resources/SharedResources.en.resx b/src/Core/Resources/SharedResources.en.resx
index 836f2b356..c2e6c4052 100644
--- a/src/Core/Resources/SharedResources.en.resx
+++ b/src/Core/Resources/SharedResources.en.resx
@@ -665,12 +665,12 @@
     <value>Automatic Enrollment</value>
   </data>
   <data name="ResetPasswordAutoEnrollDescription" xml:space="preserve">
-    <value>All users will be automatically enrolled in password reset once their invite is accepted.</value>
+    <value>All users will be automatically enrolled in password reset once their invite is accepted and will not be allowed to withdraw.</value>
   </data>
   <data name="ResetPasswordAutoEnrollWarning" xml:space="preserve">
     <value>Users already in the organization will not be retroactively enrolled in password reset. They will need to self-enroll before administrators can reset their master password.</value>
   </data>
   <data name="ResetPasswordAutoEnrollCheckbox" xml:space="preserve">
-    <value>Automatically enroll new users</value>
+    <value>Require new users to be enrolled automatically</value>
   </data>
 </root>
diff --git a/src/Core/Services/Implementations/OrganizationService.cs b/src/Core/Services/Implementations/OrganizationService.cs
index 572317c3d..8325c8a28 100644
--- a/src/Core/Services/Implementations/OrganizationService.cs
+++ b/src/Core/Services/Implementations/OrganizationService.cs
@@ -1728,6 +1728,17 @@ namespace Bit.Core.Services
                 throw new BadRequestException("Organization does not have the password reset policy enabled.");
             }
             
+            // Block the user from withdrawal if auto enrollment is enabled
+            if (resetPasswordKey == null && resetPasswordPolicy.Data != null)
+            {
+                var data = JsonConvert.DeserializeObject<ResetPasswordDataModel>(resetPasswordPolicy.Data);
+
+                if (data?.AutoEnrollEnabled ?? false)
+                {
+                    throw new BadRequestException("Due to an Enterprise Policy, you are not allowed to withdraw from Password Reset.");
+                }
+            }
+            
             orgUser.ResetPasswordKey = resetPasswordKey;
             await _organizationUserRepository.ReplaceAsync(orgUser);
             await _eventService.LogOrganizationUserEventAsync(orgUser, resetPasswordKey != null ?