[PM-10311] Account Management: Create helper methods for checking against verified domains (#4636)

* Add HasVerifiedDomainsAsync method to IOrganizationDomainService

* Add GetManagedUserIdsByOrganizationIdAsync method to IOrganizationUserRepository and the corresponding queries

* Fix case on the sproc OrganizationUser_ReadManagedIdsByOrganizationId parameter

* Update the EF query to use the Email from the User table

* dotnet format

* Fix IOrganizationDomainService.HasVerifiedDomainsAsync by checking that domains have been Verified and add unit tests

* Rename IOrganizationUserRepository.GetManagedUserIdsByOrganizationAsync

* Fix domain queries

* Add OrganizationUserRepository integration tests

* Add summary to IOrganizationDomainService.HasVerifiedDomainsAsync

* chore: Rename IOrganizationUserRepository.GetManagedUserIdsByOrganizationAsync to GetManyIdsManagedByOrganizationIdAsync

* Add IsManagedByAnyOrganizationAsync method to IUserRepository

* Add integration tests for UserRepository.IsManagedByAnyOrganizationAsync

* Refactor to IUserService.IsManagedByAnyOrganizationAsync and IOrganizationService.GetUsersOrganizationManagementStatusAsync

* chore: Refactor IsManagedByAnyOrganizationAsync method in UserService

* Refactor IOrganizationService.GetUsersOrganizationManagementStatusAsync to return IDictionary<Guid, bool>

* Extract IOrganizationService.GetUsersOrganizationManagementStatusAsync into a query

* Update comments in OrganizationDomainService to use proper capitalization

* Move OrganizationDomainService to AdminConsole ownership and update namespace

* feat: Add support for organization domains in enterprise plans

* feat: Add HasOrganizationDomains property to OrganizationAbility class

* refactor: Update GetOrganizationUsersManagementStatusQuery to use IApplicationCacheService

* Remove HasOrganizationDomains and use UseSso to check if Organization can have Verified Domains

* Refactor UserService.IsManagedByAnyOrganizationAsync to simply check the UseSso flag

* Add TODO comment for replacing 'UseSso' organization ability on user verified domain checks

* Bump date on migration script

* Add indexes to OrganizationDomain table

* Bump script migration date; Remove WITH ONLINE = ON from data migration.

src/Admin/Jobs/DeleteUnverifiedOrganizationDomainsJob.cs

@@ -1,6 +1,6 @@
 using Bit.Core;
+using Bit.Core.AdminConsole.Services;
 using Bit.Core.Jobs;
-using Bit.Core.Services;
 using Quartz;
 
 namespace Bit.Admin.Jobs;

src/Api/Jobs/ValidateOrganizationDomainJob.cs

@@ -1,6 +1,6 @@
 using Bit.Core;
+using Bit.Core.AdminConsole.Services;
 using Bit.Core.Jobs;
-using Bit.Core.Services;
 using Quartz;
 
 namespace Bit.Api.Jobs;

src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/GetOrganizationUsersManagementStatusQuery.cs

@@ -0,0 +1,41 @@
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Interfaces;
+using Bit.Core.Repositories;
+using Bit.Core.Services;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers;
+
+public class GetOrganizationUsersManagementStatusQuery : IGetOrganizationUsersManagementStatusQuery
+{
+    private readonly IApplicationCacheService _applicationCacheService;
+    private readonly IOrganizationUserRepository _organizationUserRepository;
+
+    public GetOrganizationUsersManagementStatusQuery(
+        IApplicationCacheService applicationCacheService,
+        IOrganizationUserRepository organizationUserRepository)
+    {
+        _applicationCacheService = applicationCacheService;
+        _organizationUserRepository = organizationUserRepository;
+    }
+
+    public async Task<IDictionary<Guid, bool>> GetUsersOrganizationManagementStatusAsync(Guid organizationId, IEnumerable<Guid> organizationUserIds)
+    {
+        if (organizationUserIds.Any())
+        {
+            // Users can only be managed by an Organization that is enabled and can have organization domains
+            var organizationAbility = await _applicationCacheService.GetOrganizationAbilityAsync(organizationId);
+
+            // TODO: Replace "UseSso" with a new organization ability like "UseOrganizationDomains" (PM-11622).
+            // Verified domains were tied to SSO, so we currently check the "UseSso" organization ability.
+            if (organizationAbility is { Enabled: true, UseSso: true })
+            {
+                // Get all organization users with claimed domains by the organization
+                var organizationUsersWithClaimedDomain = await _organizationUserRepository.GetManyByOrganizationWithClaimedDomainsAsync(organizationId);
+
+                // Create a dictionary with the OrganizationUserId and a boolean indicating if the user is managed by the organization
+                return organizationUserIds.ToDictionary(ouId => ouId, ouId => organizationUsersWithClaimedDomain.Any(ou => ou.Id == ouId));
+            }
+        }
+
+        return organizationUserIds.ToDictionary(ouId => ouId, _ => false);
+    }
+}

src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/Interfaces/IGetOrganizationUsersManagementStatusQuery.cs

@@ -0,0 +1,19 @@
+namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Interfaces;
+
+public interface IGetOrganizationUsersManagementStatusQuery
+{
+    /// <summary>
+    /// Checks whether each user in the provided list of organization user IDs is managed by the specified organization.
+    /// </summary>
+    /// <param name="organizationId">The unique identifier of the organization to check against.</param>
+    /// <param name="organizationUserIds">A list of OrganizationUserIds to be checked.</param>
+    /// <remarks>
+    /// A managed user is a user whose email domain matches one of the Organization's verified domains.
+    /// The organization must be enabled and be on an Enterprise plan.
+    /// </remarks>
+    /// <returns>
+    /// A dictionary containing the OrganizationUserId and a boolean indicating if the user is managed by the organization.
+    /// </returns>
+    Task<IDictionary<Guid, bool>> GetUsersOrganizationManagementStatusAsync(Guid organizationId,
+        IEnumerable<Guid> organizationUserIds);
+}

src/Core/AdminConsole/Repositories/IOrganizationRepository.cs

@@ -17,4 +17,9 @@ public interface IOrganizationRepository : IRepository<Organization, Guid>
     Task<SelfHostedOrganizationDetails?> GetSelfHostedOrganizationDetailsById(Guid id);
     Task<ICollection<Organization>> SearchUnassignedToProviderAsync(string name, string ownerEmail, int skip, int take);
     Task<IEnumerable<string>> GetOwnerEmailAddressesById(Guid organizationId);
+
+    /// <summary>
+    /// Gets the organization that has a claimed domain matching the user's email domain.
+    /// </summary>
+    Task<Organization> GetByClaimedUserDomainAsync(Guid userId);
 }

src/Core/AdminConsole/Repositories/IOrganizationUserRepository.cs

@@ -55,4 +55,8 @@ public interface IOrganizationUserRepository : IRepository<OrganizationUser, Gui
     UpdateEncryptedDataForKeyRotation UpdateForKeyRotation(Guid userId,
         IEnumerable<OrganizationUser> resetPasswordKeys);
 
+    /// <summary>
+    /// Returns a list of OrganizationUsers with email domains that match one of the Organization's claimed domains.
+    /// </summary>
+    Task<ICollection<OrganizationUser>> GetManyByOrganizationWithClaimedDomainsAsync(Guid organizationId);
 }

src/Core/AdminConsole/Services/IOrganizationDomainService.cs

@@ -0,0 +1,11 @@
+namespace Bit.Core.AdminConsole.Services;
+
+public interface IOrganizationDomainService
+{
+    Task ValidateOrganizationsDomainAsync();
+    Task OrganizationDomainMaintenanceAsync();
+    /// <summary>
+    /// Indicates if the organization has any verified domains.
+    /// </summary>
+    Task<bool> HasVerifiedDomainsAsync(Guid orgId);
+}

src/Core/AdminConsole/Services/Implementations/OrganizationDomainService.cs

@@ -1,9 +1,10 @@
 using Bit.Core.Enums;
 using Bit.Core.Repositories;
+using Bit.Core.Services;
 using Bit.Core.Settings;
 using Microsoft.Extensions.Logging;
 
-namespace Bit.Core.Services;
+namespace Bit.Core.AdminConsole.Services.Implementations;
 
 public class OrganizationDomainService : IOrganizationDomainService
 {
@@ -53,7 +54,7 @@ public class OrganizationDomainService : IOrganizationDomainService
                 {
                     _logger.LogInformation(Constants.BypassFiltersEventId, "Successfully validated domain");
 
-                    //update entry on OrganizationDomain table 
+                    // Update entry on OrganizationDomain table
                     domain.SetLastCheckedDate();
                     domain.SetVerifiedDate();
                     domain.SetJobRunCount();
@@ -64,7 +65,7 @@ public class OrganizationDomainService : IOrganizationDomainService
                 }
                 else
                 {
-                    //update entry on OrganizationDomain table 
+                    // Update entry on OrganizationDomain table
                     domain.SetLastCheckedDate();
                     domain.SetJobRunCount();
                     domain.SetNextRunDate(_globalSettings.DomainVerification.VerificationInterval);
@@ -78,7 +79,7 @@ public class OrganizationDomainService : IOrganizationDomainService
             }
             catch (Exception ex)
             {
-                //update entry on OrganizationDomain table 
+                // Update entry on OrganizationDomain table
                 domain.SetLastCheckedDate();
                 domain.SetJobRunCount();
                 domain.SetNextRunDate(_globalSettings.DomainVerification.VerificationInterval);
@@ -117,7 +118,7 @@ public class OrganizationDomainService : IOrganizationDomainService
 
                 _logger.LogInformation(Constants.BypassFiltersEventId, "Expired domain: {domainName}", domain.DomainName);
             }
-            //delete domains that have not been verified within 7 days 
+            // Delete domains that have not been verified within 7 days
             var status = await _domainRepository.DeleteExpiredAsync(_globalSettings.DomainVerification.ExpirationPeriod);
             _logger.LogInformation(Constants.BypassFiltersEventId, "Delete status {status}", status);
         }
@@ -127,6 +128,12 @@ public class OrganizationDomainService : IOrganizationDomainService
         }
     }
 
+    public async Task<bool> HasVerifiedDomainsAsync(Guid orgId)
+    {
+        var orgDomains = await _domainRepository.GetDomainsByOrganizationIdAsync(orgId);
+        return orgDomains.Any(od => od.VerifiedDate != null);
+    }
+
     private async Task<List<string>> GetAdminEmailsAsync(Guid organizationId)
     {
         var orgUsers = await _organizationUserRepository.GetManyDetailsByOrganizationAsync(organizationId);

src/Core/OrganizationFeatures/OrganizationServiceCollectionExtensions.cs

@@ -139,6 +139,7 @@ public static class OrganizationServiceCollectionExtensions
         services.AddScoped<ICountNewSmSeatsRequiredQuery, CountNewSmSeatsRequiredQuery>();
         services.AddScoped<IAcceptOrgUserCommand, AcceptOrgUserCommand>();
         services.AddScoped<IOrganizationUserUserDetailsQuery, OrganizationUserUserDetailsQuery>();
+        services.AddScoped<IGetOrganizationUsersManagementStatusQuery, GetOrganizationUsersManagementStatusQuery>();
     }
 
     // TODO: move to OrganizationSubscriptionServiceCollectionExtensions when OrganizationUser methods are moved out of

src/Core/Services/IOrganizationDomainService.cs

@@ -1,7 +0,0 @@
-namespace Bit.Core.Services;
-
-public interface IOrganizationDomainService
-{
-    Task ValidateOrganizationsDomainAsync();
-    Task OrganizationDomainMaintenanceAsync();
-}

src/Core/Services/IUserService.cs

@@ -86,4 +86,13 @@ public interface IUserService
     /// We force these users to the web to migrate their encryption scheme.
     /// </summary>
     Task<bool> IsLegacyUser(string userId);
+
+    /// <summary>
+    /// Indicates if the user is managed by any organization.
+    /// </summary>
+    /// <remarks>
+    /// A managed user is a user whose email domain matches one of the Organization's verified domains.
+    /// The organization must be enabled and be on an Enterprise plan.
+    /// </remarks>
+    Task<bool> IsManagedByAnyOrganizationAsync(Guid userId);
 }

src/Core/Services/Implementations/UserService.cs

@@ -1244,6 +1244,16 @@ public class UserService : UserManager<User>, IUserService, IDisposable
         return IsLegacyUser(user);
     }
 
+    public async Task<bool> IsManagedByAnyOrganizationAsync(Guid userId)
+    {
+        // Users can only be managed by an Organization that is enabled and can have organization domains
+        var organization = await _organizationRepository.GetByClaimedUserDomainAsync(userId);
+
+        // TODO: Replace "UseSso" with a new organization ability like "UseOrganizationDomains" (PM-11622).
+        // Verified domains were tied to SSO, so we currently check the "UseSso" organization ability.
+        return organization is { Enabled: true, UseSso: true };
+    }
+
     /// <inheritdoc cref="IsLegacyUser(string)"/>
     public static bool IsLegacyUser(User user)
     {

src/Infrastructure.Dapper/AdminConsole/Repositories/OrganizationRepository.cs

@@ -167,4 +167,17 @@ public class OrganizationRepository : Repository<Organization, Guid>, IOrganizat
             new { OrganizationId = organizationId },
             commandType: CommandType.StoredProcedure);
     }
+
+    public async Task<Organization> GetByClaimedUserDomainAsync(Guid userId)
+    {
+        using (var connection = new SqlConnection(ConnectionString))
+        {
+            var result = await connection.QueryAsync<Organization>(
+                "[dbo].[Organization_ReadByClaimedUserEmailDomain]",
+                new { UserId = userId },
+                commandType: CommandType.StoredProcedure);
+
+            return result.SingleOrDefault();
+        }
+    }
 }

src/Infrastructure.Dapper/AdminConsole/Repositories/OrganizationUserRepository.cs

@@ -545,4 +545,17 @@ public class OrganizationUserRepository : Repository<OrganizationUser, Guid>, IO
                 transaction: transaction,
                 commandType: CommandType.StoredProcedure);
     }
+
+    public async Task<ICollection<OrganizationUser>> GetManyByOrganizationWithClaimedDomainsAsync(Guid organizationId)
+    {
+        using (var connection = new SqlConnection(ConnectionString))
+        {
+            var results = await connection.QueryAsync<OrganizationUser>(
+                $"[{Schema}].[OrganizationUser_ReadByOrganizationIdWithClaimedDomains]",
+                new { OrganizationId = organizationId },
+                commandType: CommandType.StoredProcedure);
+
+            return results.ToList();
+        }
+    }
 }

src/Infrastructure.EntityFramework/AdminConsole/Repositories/OrganizationRepository.cs

@@ -271,6 +271,25 @@ public class OrganizationRepository : Repository<Core.AdminConsole.Entities.Orga
         return await query.ToListAsync();
     }
 
+    public async Task<Core.AdminConsole.Entities.Organization> GetByClaimedUserDomainAsync(Guid userId)
+    {
+        using (var scope = ServiceScopeFactory.CreateScope())
+        {
+            var dbContext = GetDatabaseContext(scope);
+
+            var query = from u in dbContext.Users
+                        join ou in dbContext.OrganizationUsers on u.Id equals ou.UserId
+                        join o in dbContext.Organizations on ou.OrganizationId equals o.Id
+                        join od in dbContext.OrganizationDomains on ou.OrganizationId equals od.OrganizationId
+                        where u.Id == userId
+                              && od.VerifiedDate != null
+                              && u.Email.ToLower().EndsWith("@" + od.DomainName.ToLower())
+                        select o;
+
+            return await query.FirstOrDefaultAsync();
+        }
+    }
+
     public Task EnableCollectionEnhancements(Guid organizationId)
     {
         throw new NotImplementedException("Collection enhancements migration is not yet supported for Entity Framework.");

src/Infrastructure.EntityFramework/AdminConsole/Repositories/OrganizationUserRepository.cs

@@ -711,4 +711,14 @@ public class OrganizationUserRepository : Repository<Core.Entities.OrganizationU
         };
     }
 
+    public async Task<ICollection<Core.Entities.OrganizationUser>> GetManyByOrganizationWithClaimedDomainsAsync(Guid organizationId)
+    {
+        using (var scope = ServiceScopeFactory.CreateScope())
+        {
+            var dbContext = GetDatabaseContext(scope);
+            var query = new OrganizationUserReadByClaimedOrganizationDomainsQuery(organizationId);
+            var data = await query.Run(dbContext).ToListAsync();
+            return data;
+        }
+    }
 }

src/Infrastructure.EntityFramework/AdminConsole/Repositories/Queries/OrganizationUserReadByClaimedOrganizationDomainsQuery.cs

@@ -0,0 +1,27 @@
+using Bit.Core.Entities;
+
+namespace Bit.Infrastructure.EntityFramework.Repositories.Queries;
+
+public class OrganizationUserReadByClaimedOrganizationDomainsQuery : IQuery<OrganizationUser>
+{
+    private readonly Guid _organizationId;
+
+    public OrganizationUserReadByClaimedOrganizationDomainsQuery(Guid organizationId)
+    {
+        _organizationId = organizationId;
+    }
+
+    public IQueryable<OrganizationUser> Run(DatabaseContext dbContext)
+    {
+        var query = from ou in dbContext.OrganizationUsers
+                    join u in dbContext.Users on ou.UserId equals u.Id
+                    where ou.OrganizationId == _organizationId
+                          && dbContext.OrganizationDomains
+                              .Any(od => od.OrganizationId == _organizationId &&
+                                         od.VerifiedDate != null &&
+                                         u.Email.ToLower().EndsWith("@" + od.DomainName.ToLower()))
+                    select ou;
+
+        return query;
+    }
+}

src/Sql/dbo/Stored Procedures/OrganizationUser_ReadByOrganizationIdWithClaimedDomains.sql

@@ -0,0 +1,18 @@
+CREATE PROCEDURE [dbo].[OrganizationUser_ReadByOrganizationIdWithClaimedDomains]
+    @OrganizationId UNIQUEIDENTIFIER
+AS
+BEGIN
+    SET NOCOUNT ON;
+
+    SELECT OU.*
+    FROM [dbo].[OrganizationUserView] OU
+    INNER JOIN [dbo].[UserView] U ON OU.[UserId] = U.[Id]
+    WHERE OU.[OrganizationId] = @OrganizationId
+        AND EXISTS (
+            SELECT 1
+            FROM [dbo].[OrganizationDomainView] OD
+            WHERE OD.[OrganizationId] = @OrganizationId
+                AND OD.[VerifiedDate] IS NOT NULL
+                AND U.[Email] LIKE '%@' + OD.[DomainName]
+        );
+END

src/Sql/dbo/Stored Procedures/Organization_ReadByClaimedUserEmailDomain.sql

@@ -0,0 +1,15 @@
+CREATE PROCEDURE [dbo].[Organization_ReadByClaimedUserEmailDomain]
+    @UserId UNIQUEIDENTIFIER
+AS
+BEGIN
+    SET NOCOUNT ON;
+
+    SELECT O.*
+    FROM [dbo].[UserView] U
+    INNER JOIN [dbo].[OrganizationUserView] OU ON U.[Id] = OU.[UserId]
+    INNER JOIN [dbo].[OrganizationView] O ON OU.[OrganizationId] = O.[Id]
+    INNER JOIN [dbo].[OrganizationDomainView] OD ON OU.[OrganizationId] = OD.[OrganizationId]
+    WHERE U.[Id] = @UserId
+        AND OD.[VerifiedDate] IS NOT NULL
+        AND U.[Email] LIKE '%@' + OD.[DomainName];
+END

src/Sql/dbo/Tables/OrganizationDomain.sql

@@ -12,4 +12,13 @@ CREATE TABLE [dbo].[OrganizationDomain] (
     CONSTRAINT [FK_OrganzationDomain_Organization] FOREIGN KEY ([OrganizationId]) REFERENCES [dbo].[Organization] ([Id])
 );
 
-GO
+GO
+
+CREATE NONCLUSTERED INDEX [IX_OrganizationDomain_OrganizationIdVerifiedDate]
+    ON [dbo].[OrganizationDomain] ([OrganizationId],[VerifiedDate]);
+GO
+
+CREATE NONCLUSTERED INDEX [IX_OrganizationDomain_VerifiedDate]
+    ON [dbo].[OrganizationDomain] ([VerifiedDate])
+    INCLUDE ([OrganizationId],[DomainName]);
+GO

test/Core.Test/AdminConsole/OrganizationFeatures/OrganizationUsers/GetOrganizationUsersManagementStatusQueryTests.cs

@@ -0,0 +1,101 @@
+using Bit.Core.AdminConsole.Entities;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers;
+using Bit.Core.Entities;
+using Bit.Core.Models.Data.Organizations;
+using Bit.Core.Repositories;
+using Bit.Core.Services;
+using Bit.Test.Common.AutoFixture;
+using Bit.Test.Common.AutoFixture.Attributes;
+using NSubstitute;
+using Xunit;
+
+namespace Bit.Core.Test.AdminConsole.OrganizationFeatures.OrganizationUsers;
+
+[SutProviderCustomize]
+public class GetOrganizationUsersManagementStatusQueryTests
+{
+    [Theory, BitAutoData]
+    public async Task GetUsersOrganizationManagementStatusAsync_WithNoUsers_ReturnsEmpty(
+        Organization organization,
+        SutProvider<GetOrganizationUsersManagementStatusQuery> sutProvider)
+    {
+        var result = await sutProvider.Sut.GetUsersOrganizationManagementStatusAsync(organization.Id, new List<Guid>());
+
+        Assert.Empty(result);
+    }
+
+    [Theory, BitAutoData]
+    public async Task GetUsersOrganizationManagementStatusAsync_WithUseSsoEnabled_Success(
+        Organization organization,
+        ICollection<OrganizationUser> usersWithClaimedDomain,
+        SutProvider<GetOrganizationUsersManagementStatusQuery> sutProvider)
+    {
+        organization.Enabled = true;
+        organization.UseSso = true;
+
+        var userIdWithoutClaimedDomain = Guid.NewGuid();
+        var userIdsToCheck = usersWithClaimedDomain.Select(u => u.Id).Concat(new List<Guid> { userIdWithoutClaimedDomain }).ToList();
+
+        sutProvider.GetDependency<IApplicationCacheService>()
+            .GetOrganizationAbilityAsync(organization.Id)
+            .Returns(new OrganizationAbility(organization));
+
+        sutProvider.GetDependency<IOrganizationUserRepository>()
+            .GetManyByOrganizationWithClaimedDomainsAsync(organization.Id)
+            .Returns(usersWithClaimedDomain);
+
+        var result = await sutProvider.Sut.GetUsersOrganizationManagementStatusAsync(organization.Id, userIdsToCheck);
+
+        Assert.All(usersWithClaimedDomain, ou => Assert.True(result[ou.Id]));
+        Assert.False(result[userIdWithoutClaimedDomain]);
+    }
+
+    [Theory, BitAutoData]
+    public async Task GetUsersOrganizationManagementStatusAsync_WithUseSsoDisabled_ReturnsAllFalse(
+        Organization organization,
+        ICollection<OrganizationUser> usersWithClaimedDomain,
+        SutProvider<GetOrganizationUsersManagementStatusQuery> sutProvider)
+    {
+        organization.Enabled = true;
+        organization.UseSso = false;
+
+        var userIdWithoutClaimedDomain = Guid.NewGuid();
+        var userIdsToCheck = usersWithClaimedDomain.Select(u => u.Id).Concat(new List<Guid> { userIdWithoutClaimedDomain }).ToList();
+
+        sutProvider.GetDependency<IApplicationCacheService>()
+            .GetOrganizationAbilityAsync(organization.Id)
+            .Returns(new OrganizationAbility(organization));
+
+        sutProvider.GetDependency<IOrganizationUserRepository>()
+            .GetManyByOrganizationWithClaimedDomainsAsync(organization.Id)
+            .Returns(usersWithClaimedDomain);
+
+        var result = await sutProvider.Sut.GetUsersOrganizationManagementStatusAsync(organization.Id, userIdsToCheck);
+
+        Assert.All(result, r => Assert.False(r.Value));
+    }
+
+    [Theory, BitAutoData]
+    public async Task GetUsersOrganizationManagementStatusAsync_WithDisabledOrganization_ReturnsAllFalse(
+        Organization organization,
+        ICollection<OrganizationUser> usersWithClaimedDomain,
+        SutProvider<GetOrganizationUsersManagementStatusQuery> sutProvider)
+    {
+        organization.Enabled = false;
+
+        var userIdWithoutClaimedDomain = Guid.NewGuid();
+        var userIdsToCheck = usersWithClaimedDomain.Select(u => u.Id).Concat(new List<Guid> { userIdWithoutClaimedDomain }).ToList();
+
+        sutProvider.GetDependency<IApplicationCacheService>()
+            .GetOrganizationAbilityAsync(organization.Id)
+            .Returns(new OrganizationAbility(organization));
+
+        sutProvider.GetDependency<IOrganizationUserRepository>()
+            .GetManyByOrganizationWithClaimedDomainsAsync(organization.Id)
+            .Returns(usersWithClaimedDomain);
+
+        var result = await sutProvider.Sut.GetUsersOrganizationManagementStatusAsync(organization.Id, userIdsToCheck);
+
+        Assert.All(result, r => Assert.False(r.Value));
+    }
+}

test/Core.Test/AdminConsole/Services/OrganizationDomainServiceTests.cs

@@ -1,4 +1,5 @@
-using Bit.Core.Entities;
+using Bit.Core.AdminConsole.Services.Implementations;
+using Bit.Core.Entities;
 using Bit.Core.Enums;
 using Bit.Core.Repositories;
 using Bit.Core.Services;
@@ -7,7 +8,7 @@ using Bit.Test.Common.AutoFixture.Attributes;
 using NSubstitute;
 using Xunit;
 
-namespace Bit.Core.Test.Services;
+namespace Bit.Core.Test.AdminConsole.Services;
 
 [SutProviderCustomize]
 public class OrganizationDomainServiceTests
@@ -80,4 +81,48 @@ public class OrganizationDomainServiceTests
         await sutProvider.GetDependency<IOrganizationDomainRepository>().ReceivedWithAnyArgs(1)
             .DeleteExpiredAsync(7);
     }
+
+    [Theory, BitAutoData]
+    public async Task HasVerifiedDomainsAsync_WithVerifiedDomain_ReturnsTrue(
+        OrganizationDomain organizationDomain,
+        SutProvider<OrganizationDomainService> sutProvider)
+    {
+        organizationDomain.SetVerifiedDate(); // Set the verified date to make it verified
+
+        sutProvider.GetDependency<IOrganizationDomainRepository>()
+            .GetDomainsByOrganizationIdAsync(organizationDomain.OrganizationId)
+            .Returns(new List<OrganizationDomain> { organizationDomain });
+
+        var result = await sutProvider.Sut.HasVerifiedDomainsAsync(organizationDomain.OrganizationId);
+
+        Assert.True(result);
+    }
+
+    [Theory, BitAutoData]
+    public async Task HasVerifiedDomainsAsync_WithoutVerifiedDomain_ReturnsFalse(
+        OrganizationDomain organizationDomain,
+        SutProvider<OrganizationDomainService> sutProvider)
+    {
+        sutProvider.GetDependency<IOrganizationDomainRepository>()
+            .GetDomainsByOrganizationIdAsync(organizationDomain.OrganizationId)
+            .Returns(new List<OrganizationDomain> { organizationDomain });
+
+        var result = await sutProvider.Sut.HasVerifiedDomainsAsync(organizationDomain.OrganizationId);
+
+        Assert.False(result);
+    }
+
+    [Theory, BitAutoData]
+    public async Task HasVerifiedDomainsAsync_WithoutOrganizationDomains_ReturnsFalse(
+        Guid organizationId,
+        SutProvider<OrganizationDomainService> sutProvider)
+    {
+        sutProvider.GetDependency<IOrganizationDomainRepository>()
+            .GetDomainsByOrganizationIdAsync(organizationId)
+            .Returns(new List<OrganizationDomain>());
+
+        var result = await sutProvider.Sut.HasVerifiedDomainsAsync(organizationId);
+
+        Assert.False(result);
+    }
 }

test/Core.Test/Services/UserServiceTests.cs

@@ -276,6 +276,51 @@ public class UserServiceTests
             .VerifyHashedPassword(user, "hashed_test_password", secret);
     }
 
+    [Theory, BitAutoData]
+    public async Task IsManagedByAnyOrganizationAsync_WithManagingEnabledOrganization_ReturnsTrue(
+        SutProvider<UserService> sutProvider, Guid userId, Organization organization)
+    {
+        organization.Enabled = true;
+        organization.UseSso = true;
+
+        sutProvider.GetDependency<IOrganizationRepository>()
+            .GetByClaimedUserDomainAsync(userId)
+            .Returns(organization);
+
+        var result = await sutProvider.Sut.IsManagedByAnyOrganizationAsync(userId);
+        Assert.True(result);
+    }
+
+    [Theory, BitAutoData]
+    public async Task IsManagedByAnyOrganizationAsync_WithManagingDisabledOrganization_ReturnsFalse(
+        SutProvider<UserService> sutProvider, Guid userId, Organization organization)
+    {
+        organization.Enabled = false;
+        organization.UseSso = true;
+
+        sutProvider.GetDependency<IOrganizationRepository>()
+            .GetByClaimedUserDomainAsync(userId)
+            .Returns(organization);
+
+        var result = await sutProvider.Sut.IsManagedByAnyOrganizationAsync(userId);
+        Assert.False(result);
+    }
+
+    [Theory, BitAutoData]
+    public async Task IsManagedByAnyOrganizationAsync_WithOrganizationUseSsoFalse_ReturnsFalse(
+        SutProvider<UserService> sutProvider, Guid userId, Organization organization)
+    {
+        organization.Enabled = true;
+        organization.UseSso = false;
+
+        sutProvider.GetDependency<IOrganizationRepository>()
+            .GetByClaimedUserDomainAsync(userId)
+            .Returns(organization);
+
+        var result = await sutProvider.Sut.IsManagedByAnyOrganizationAsync(userId);
+        Assert.False(result);
+    }
+
     private static void SetupUserAndDevice(User user,
         bool shouldHavePassword)
     {

test/Infrastructure.IntegrationTest/AdminConsole/Repositories/OrganizationRepositoryTests.cs

@@ -0,0 +1,109 @@
+using Bit.Core.AdminConsole.Entities;
+using Bit.Core.Entities;
+using Bit.Core.Enums;
+using Bit.Core.Repositories;
+using Xunit;
+
+namespace Bit.Infrastructure.IntegrationTest.Repositories;
+
+public class OrganizationRepositoryTests
+{
+    [DatabaseTheory, DatabaseData]
+    public async Task GetByClaimedUserDomainAsync_WithVerifiedDomain_Success(
+        IUserRepository userRepository,
+        IOrganizationRepository organizationRepository,
+        IOrganizationUserRepository organizationUserRepository,
+        IOrganizationDomainRepository organizationDomainRepository)
+    {
+        var id = Guid.NewGuid();
+        var domainName = $"{id}.example.com";
+
+        var user1 = await userRepository.CreateAsync(new User
+        {
+            Name = "Test User 1",
+            Email = $"test+{id}@{domainName}",
+            ApiKey = "TEST",
+            SecurityStamp = "stamp",
+            Kdf = KdfType.PBKDF2_SHA256,
+            KdfIterations = 1,
+            KdfMemory = 2,
+            KdfParallelism = 3
+        });
+
+        var user2 = await userRepository.CreateAsync(new User
+        {
+            Name = "Test User 2",
+            Email = $"test+{id}@x-{domainName}", // Different domain
+            ApiKey = "TEST",
+            SecurityStamp = "stamp",
+            Kdf = KdfType.PBKDF2_SHA256,
+            KdfIterations = 1,
+            KdfMemory = 2,
+            KdfParallelism = 3
+        });
+
+        var user3 = await userRepository.CreateAsync(new User
+        {
+            Name = "Test User 2",
+            Email = $"test+{id}@{domainName}.example.com", // Different domain
+            ApiKey = "TEST",
+            SecurityStamp = "stamp",
+            Kdf = KdfType.PBKDF2_SHA256,
+            KdfIterations = 1,
+            KdfMemory = 2,
+            KdfParallelism = 3
+        });
+
+        var organization = await organizationRepository.CreateAsync(new Organization
+        {
+            Name = $"Test Org {id}",
+            BillingEmail = user1.Email, // TODO: EF does not enforce this being NOT NULl
+            Plan = "Test", // TODO: EF does not enforce this being NOT NULl
+            PrivateKey = "privatekey",
+        });
+
+        var organizationDomain = new OrganizationDomain
+        {
+            OrganizationId = organization.Id,
+            DomainName = domainName,
+            Txt = "btw+12345",
+        };
+        organizationDomain.SetVerifiedDate();
+        organizationDomain.SetNextRunDate(12);
+        organizationDomain.SetJobRunCount();
+        await organizationDomainRepository.CreateAsync(organizationDomain);
+
+        await organizationUserRepository.CreateAsync(new OrganizationUser
+        {
+            OrganizationId = organization.Id,
+            UserId = user1.Id,
+            Status = OrganizationUserStatusType.Confirmed,
+            ResetPasswordKey = "resetpasswordkey1",
+        });
+
+        await organizationUserRepository.CreateAsync(new OrganizationUser
+        {
+            OrganizationId = organization.Id,
+            UserId = user2.Id,
+            Status = OrganizationUserStatusType.Confirmed,
+            ResetPasswordKey = "resetpasswordkey1",
+        });
+
+        await organizationUserRepository.CreateAsync(new OrganizationUser
+        {
+            OrganizationId = organization.Id,
+            UserId = user3.Id,
+            Status = OrganizationUserStatusType.Confirmed,
+            ResetPasswordKey = "resetpasswordkey1",
+        });
+
+        var user1Response = await organizationRepository.GetByClaimedUserDomainAsync(user1.Id);
+        var user2Response = await organizationRepository.GetByClaimedUserDomainAsync(user2.Id);
+        var user3Response = await organizationRepository.GetByClaimedUserDomainAsync(user3.Id);
+
+        Assert.NotNull(user1Response);
+        Assert.Equal(organization.Id, user1Response.Id);
+        Assert.Null(user2Response);
+        Assert.Null(user3Response);
+    }
+}

test/Infrastructure.IntegrationTest/AdminConsole/Repositories/OrganizationUserRepositoryTests.cs

@@ -256,4 +256,100 @@ public class OrganizationUserRepositoryTests
         Assert.Equal(organization.LimitCollectionCreationDeletion, result.LimitCollectionCreationDeletion);
         Assert.Equal(organization.AllowAdminAccessToAllCollectionItems, result.AllowAdminAccessToAllCollectionItems);
     }
+
+    [DatabaseTheory, DatabaseData]
+    public async Task GetManyByOrganizationWithClaimedDomainsAsync_WithVerifiedDomain_WithOneMatchingEmailDomain_ReturnsSingle(
+        IUserRepository userRepository,
+        IOrganizationRepository organizationRepository,
+        IOrganizationUserRepository organizationUserRepository,
+        IOrganizationDomainRepository organizationDomainRepository)
+    {
+        var id = Guid.NewGuid();
+        var domainName = $"{id}.example.com";
+
+        var user1 = await userRepository.CreateAsync(new User
+        {
+            Name = "Test User 1",
+            Email = $"test+{id}@{domainName}",
+            ApiKey = "TEST",
+            SecurityStamp = "stamp",
+            Kdf = KdfType.PBKDF2_SHA256,
+            KdfIterations = 1,
+            KdfMemory = 2,
+            KdfParallelism = 3
+        });
+
+        var user2 = await userRepository.CreateAsync(new User
+        {
+            Name = "Test User 2",
+            Email = $"test+{id}@x-{domainName}", // Different domain
+            ApiKey = "TEST",
+            SecurityStamp = "stamp",
+            Kdf = KdfType.PBKDF2_SHA256,
+            KdfIterations = 1,
+            KdfMemory = 2,
+            KdfParallelism = 3
+        });
+
+        var user3 = await userRepository.CreateAsync(new User
+        {
+            Name = "Test User 2",
+            Email = $"test+{id}@{domainName}.example.com", // Different domain
+            ApiKey = "TEST",
+            SecurityStamp = "stamp",
+            Kdf = KdfType.PBKDF2_SHA256,
+            KdfIterations = 1,
+            KdfMemory = 2,
+            KdfParallelism = 3
+        });
+
+        var organization = await organizationRepository.CreateAsync(new Organization
+        {
+            Name = $"Test Org {id}",
+            BillingEmail = user1.Email, // TODO: EF does not enforce this being NOT NULl
+            Plan = "Test", // TODO: EF does not enforce this being NOT NULl
+            PrivateKey = "privatekey",
+        });
+
+        var organizationDomain = new OrganizationDomain
+        {
+            OrganizationId = organization.Id,
+            DomainName = domainName,
+            Txt = "btw+12345",
+        };
+        organizationDomain.SetVerifiedDate();
+        organizationDomain.SetNextRunDate(12);
+        organizationDomain.SetJobRunCount();
+        await organizationDomainRepository.CreateAsync(organizationDomain);
+
+        var orgUser1 = await organizationUserRepository.CreateAsync(new OrganizationUser
+        {
+            OrganizationId = organization.Id,
+            UserId = user1.Id,
+            Status = OrganizationUserStatusType.Confirmed,
+            ResetPasswordKey = "resetpasswordkey1",
+        });
+
+        await organizationUserRepository.CreateAsync(new OrganizationUser
+        {
+            OrganizationId = organization.Id,
+            UserId = user2.Id,
+            Status = OrganizationUserStatusType.Confirmed,
+            ResetPasswordKey = "resetpasswordkey1",
+        });
+
+        await organizationUserRepository.CreateAsync(new OrganizationUser
+        {
+            OrganizationId = organization.Id,
+            UserId = user3.Id,
+            Status = OrganizationUserStatusType.Confirmed,
+            ResetPasswordKey = "resetpasswordkey1",
+        });
+
+        var responseModel = await organizationUserRepository.GetManyByOrganizationWithClaimedDomainsAsync(organization.Id);
+
+        Assert.NotNull(responseModel);
+        Assert.Single(responseModel);
+        Assert.Equal(orgUser1.Id, responseModel.Single().Id);
+    }
 }

util/Migrator/DbScripts/2024-09-10_00_UsersManagedByOrg.sql

@@ -0,0 +1,55 @@
+IF NOT EXISTS(SELECT name
+FROM sys.indexes
+WHERE name = 'IX_OrganizationDomain_OrganizationIdVerifiedDate')
+BEGIN
+    CREATE NONCLUSTERED INDEX [IX_OrganizationDomain_OrganizationIdVerifiedDate]
+        ON [dbo].[OrganizationDomain] ([OrganizationId],[VerifiedDate]);
+END
+GO
+
+IF NOT EXISTS(SELECT name
+FROM sys.indexes
+WHERE name = 'IX_OrganizationDomain_VerifiedDate')
+BEGIN
+    CREATE NONCLUSTERED INDEX [IX_OrganizationDomain_VerifiedDate]
+        ON [dbo].[OrganizationDomain] ([VerifiedDate])
+        INCLUDE ([OrganizationId],[DomainName]);
+END
+GO
+
+CREATE OR ALTER PROCEDURE [dbo].[OrganizationUser_ReadByOrganizationIdWithClaimedDomains]
+    @OrganizationId UNIQUEIDENTIFIER
+AS
+BEGIN
+    SET NOCOUNT ON;
+
+    SELECT OU.*
+    FROM [dbo].[OrganizationUserView] OU
+    INNER JOIN [dbo].[UserView] U ON OU.[UserId] = U.[Id]
+    WHERE OU.[OrganizationId] = @OrganizationId
+        AND EXISTS (
+            SELECT 1
+            FROM [dbo].[OrganizationDomainView] OD
+            WHERE OD.[OrganizationId] = @OrganizationId
+                AND OD.[VerifiedDate] IS NOT NULL
+                AND U.[Email] LIKE '%@' + OD.[DomainName]
+        );
+END
+GO
+
+CREATE OR ALTER PROCEDURE [dbo].[Organization_ReadByClaimedUserEmailDomain]
+    @UserId UNIQUEIDENTIFIER
+AS
+BEGIN
+    SET NOCOUNT ON;
+
+    SELECT O.*
+    FROM [dbo].[UserView] U
+    INNER JOIN [dbo].[OrganizationUserView] OU ON U.[Id] = OU.[UserId]
+    INNER JOIN [dbo].[OrganizationView] O ON OU.[OrganizationId] = O.[Id]
+    INNER JOIN [dbo].[OrganizationDomainView] OD ON OU.[OrganizationId] = OD.[OrganizationId]
+    WHERE U.[Id] = @UserId
+        AND OD.[VerifiedDate] IS NOT NULL
+        AND U.[Email] LIKE '%@' + OD.[DomainName];
+END
+GO