docs: docs for ID and slug support across all operator CRDS

Merge pull request #4480 from Infisical/daniel/version-docs
docs(secret-versioning): fixed inconsistencies
2025-09-06 06:00:42 +00:00 · 2025-09-05 14:15:27 +02:00 · 2025-09-04 21:03:55 -04:00 · 2025-09-04 17:50:43 -03:00 · 2025-09-04 17:43:40 -03:00 · 2025-09-04 21:51:34 +02:00
321 changed files with 20884 additions and 9549 deletions
--- a/backend/package-lock.json
+++ b/backend/package-lock.json
@@ -25,6 +25,7 @@
        "@fastify/multipart": "8.3.1",
        "@fastify/passport": "^2.4.0",
        "@fastify/rate-limit": "^9.0.0",
+        "@fastify/reply-from": "^9.8.0",
        "@fastify/request-context": "^5.1.0",
        "@fastify/session": "^10.7.0",
        "@fastify/static": "^7.0.4",
@@ -63,6 +64,7 @@
        "argon2": "^0.31.2",
        "aws-sdk": "^2.1553.0",
        "axios": "^1.11.0",
+        "axios-ntlm": "^1.4.4",
        "axios-retry": "^4.0.0",
        "bcrypt": "^5.1.1",
        "botbuilder": "^4.23.2",
@@ -8043,6 +8045,42 @@
        "toad-cache": "^3.3.0"
      }
    },
+    "node_modules/@fastify/reply-from": {
+      "version": "9.8.0",
+      "resolved": "https://registry.npmjs.org/@fastify/reply-from/-/reply-from-9.8.0.tgz",
+      "integrity": "sha512-bPNVaFhEeNI0Lyl6404YZaPFokudCplidE3QoOcr78yOy6H9sYw97p5KPYvY/NJNUHfFtvxOaSAHnK+YSiv/Mg==",
+      "license": "MIT",
+      "dependencies": {
+        "@fastify/error": "^3.0.0",
+        "end-of-stream": "^1.4.4",
+        "fast-content-type-parse": "^1.1.0",
+        "fast-querystring": "^1.0.0",
+        "fastify-plugin": "^4.0.0",
+        "toad-cache": "^3.7.0",
+        "undici": "^5.19.1"
+      }
+    },
+    "node_modules/@fastify/reply-from/node_modules/@fastify/busboy": {
+      "version": "2.1.1",
+      "resolved": "https://registry.npmjs.org/@fastify/busboy/-/busboy-2.1.1.tgz",
+      "integrity": "sha512-vBZP4NlzfOlerQTnba4aqZoMhE/a9HY7HRqoOPaETQcSQuWEIyZMHGfVu6w9wGtGK5fED5qRs2DteVCjOH60sA==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=14"
+      }
+    },
+    "node_modules/@fastify/reply-from/node_modules/undici": {
+      "version": "5.29.0",
+      "resolved": "https://registry.npmjs.org/undici/-/undici-5.29.0.tgz",
+      "integrity": "sha512-raqeBD6NQK4SkWhQzeYKd1KmIG6dllBOTt55Rmkt4HtI9mwdWtJljnrXjAFUBLTSN67HWrOIZ3EPF4kjUw80Bg==",
+      "license": "MIT",
+      "dependencies": {
+        "@fastify/busboy": "^2.0.0"
+      },
+      "engines": {
+        "node": ">=14.0"
+      }
+    },
    "node_modules/@fastify/request-context": {
      "version": "5.1.0",
      "resolved": "https://registry.npmjs.org/@fastify/request-context/-/request-context-5.1.0.tgz",
@@ -12956,216 +12994,6 @@
      "dev": true,
      "license": "MIT"
    },
-    "node_modules/@swc/core": {
-      "version": "1.3.107",
-      "resolved": "https://registry.npmjs.org/@swc/core/-/core-1.3.107.tgz",
-      "integrity": "sha512-zKhqDyFcTsyLIYK1iEmavljZnf4CCor5pF52UzLAz4B6Nu/4GLU+2LQVAf+oRHjusG39PTPjd2AlRT3f3QWfsQ==",
-      "dev": true,
-      "hasInstallScript": true,
-      "optional": true,
-      "peer": true,
-      "dependencies": {
-        "@swc/counter": "^0.1.1",
-        "@swc/types": "^0.1.5"
-      },
-      "engines": {
-        "node": ">=10"
-      },
-      "funding": {
-        "type": "opencollective",
-        "url": "https://opencollective.com/swc"
-      },
-      "optionalDependencies": {
-        "@swc/core-darwin-arm64": "1.3.107",
-        "@swc/core-darwin-x64": "1.3.107",
-        "@swc/core-linux-arm-gnueabihf": "1.3.107",
-        "@swc/core-linux-arm64-gnu": "1.3.107",
-        "@swc/core-linux-arm64-musl": "1.3.107",
-        "@swc/core-linux-x64-gnu": "1.3.107",
-        "@swc/core-linux-x64-musl": "1.3.107",
-        "@swc/core-win32-arm64-msvc": "1.3.107",
-        "@swc/core-win32-ia32-msvc": "1.3.107",
-        "@swc/core-win32-x64-msvc": "1.3.107"
-      },
-      "peerDependencies": {
-        "@swc/helpers": "^0.5.0"
-      },
-      "peerDependenciesMeta": {
-        "@swc/helpers": {
-          "optional": true
-        }
-      }
-    },
-    "node_modules/@swc/core-darwin-arm64": {
-      "version": "1.3.107",
-      "resolved": "https://registry.npmjs.org/@swc/core-darwin-arm64/-/core-darwin-arm64-1.3.107.tgz",
-      "integrity": "sha512-47tD/5vSXWxPd0j/ZllyQUg4bqalbQTsmqSw0J4dDdS82MWqCAwUErUrAZPRjBkjNQ6Kmrf5rpCWaGTtPw+ngw==",
-      "cpu": [
-        "arm64"
-      ],
-      "dev": true,
-      "optional": true,
-      "os": [
-        "darwin"
-      ],
-      "peer": true,
-      "engines": {
-        "node": ">=10"
-      }
-    },
-    "node_modules/@swc/core-darwin-x64": {
-      "version": "1.3.107",
-      "resolved": "https://registry.npmjs.org/@swc/core-darwin-x64/-/core-darwin-x64-1.3.107.tgz",
-      "integrity": "sha512-hwiLJ2ulNkBGAh1m1eTfeY1417OAYbRGcb/iGsJ+LuVLvKAhU/itzsl535CvcwAlt2LayeCFfcI8gdeOLeZa9A==",
-      "cpu": [
-        "x64"
-      ],
-      "dev": true,
-      "optional": true,
-      "os": [
-        "darwin"
-      ],
-      "peer": true,
-      "engines": {
-        "node": ">=10"
-      }
-    },
-    "node_modules/@swc/core-linux-arm-gnueabihf": {
-      "version": "1.3.107",
-      "resolved": "https://registry.npmjs.org/@swc/core-linux-arm-gnueabihf/-/core-linux-arm-gnueabihf-1.3.107.tgz",
-      "integrity": "sha512-I2wzcC0KXqh0OwymCmYwNRgZ9nxX7DWnOOStJXV3pS0uB83TXAkmqd7wvMBuIl9qu4Hfomi9aDM7IlEEn9tumQ==",
-      "cpu": [
-        "arm"
-      ],
-      "dev": true,
-      "optional": true,
-      "os": [
-        "linux"
-      ],
-      "peer": true,
-      "engines": {
-        "node": ">=10"
-      }
-    },
-    "node_modules/@swc/core-linux-arm64-gnu": {
-      "version": "1.3.107",
-      "resolved": "https://registry.npmjs.org/@swc/core-linux-arm64-gnu/-/core-linux-arm64-gnu-1.3.107.tgz",
-      "integrity": "sha512-HWgnn7JORYlOYnGsdunpSF8A+BCZKPLzLtEUA27/M/ZuANcMZabKL9Zurt7XQXq888uJFAt98Gy+59PU90aHKg==",
-      "cpu": [
-        "arm64"
-      ],
-      "dev": true,
-      "optional": true,
-      "os": [
-        "linux"
-      ],
-      "peer": true,
-      "engines": {
-        "node": ">=10"
-      }
-    },
-    "node_modules/@swc/core-linux-arm64-musl": {
-      "version": "1.3.107",
-      "resolved": "https://registry.npmjs.org/@swc/core-linux-arm64-musl/-/core-linux-arm64-musl-1.3.107.tgz",
-      "integrity": "sha512-vfPF74cWfAm8hyhS8yvYI94ucMHIo8xIYU+oFOW9uvDlGQRgnUf/6DEVbLyt/3yfX5723Ln57U8uiMALbX5Pyw==",
-      "cpu": [
-        "arm64"
-      ],
-      "dev": true,
-      "optional": true,
-      "os": [
-        "linux"
-      ],
-      "peer": true,
-      "engines": {
-        "node": ">=10"
-      }
-    },
-    "node_modules/@swc/core-linux-x64-gnu": {
-      "version": "1.3.107",
-      "resolved": "https://registry.npmjs.org/@swc/core-linux-x64-gnu/-/core-linux-x64-gnu-1.3.107.tgz",
-      "integrity": "sha512-uBVNhIg0ip8rH9OnOsCARUFZ3Mq3tbPHxtmWk9uAa5u8jQwGWeBx5+nTHpDOVd3YxKb6+5xDEI/edeeLpha/9g==",
-      "cpu": [
-        "x64"
-      ],
-      "dev": true,
-      "optional": true,
-      "os": [
-        "linux"
-      ],
-      "peer": true,
-      "engines": {
-        "node": ">=10"
-      }
-    },
-    "node_modules/@swc/core-linux-x64-musl": {
-      "version": "1.3.107",
-      "resolved": "https://registry.npmjs.org/@swc/core-linux-x64-musl/-/core-linux-x64-musl-1.3.107.tgz",
-      "integrity": "sha512-mvACkUvzSIB12q1H5JtabWATbk3AG+pQgXEN95AmEX2ZA5gbP9+B+mijsg7Sd/3tboHr7ZHLz/q3SHTvdFJrEw==",
-      "cpu": [
-        "x64"
-      ],
-      "dev": true,
-      "optional": true,
-      "os": [
-        "linux"
-      ],
-      "peer": true,
-      "engines": {
-        "node": ">=10"
-      }
-    },
-    "node_modules/@swc/core-win32-arm64-msvc": {
-      "version": "1.3.107",
-      "resolved": "https://registry.npmjs.org/@swc/core-win32-arm64-msvc/-/core-win32-arm64-msvc-1.3.107.tgz",
-      "integrity": "sha512-J3P14Ngy/1qtapzbguEH41kY109t6DFxfbK4Ntz9dOWNuVY3o9/RTB841ctnJk0ZHEG+BjfCJjsD2n8H5HcaOA==",
-      "cpu": [
-        "arm64"
-      ],
-      "dev": true,
-      "optional": true,
-      "os": [
-        "win32"
-      ],
-      "peer": true,
-      "engines": {
-        "node": ">=10"
-      }
-    },
-    "node_modules/@swc/core-win32-ia32-msvc": {
-      "version": "1.3.107",
-      "resolved": "https://registry.npmjs.org/@swc/core-win32-ia32-msvc/-/core-win32-ia32-msvc-1.3.107.tgz",
-      "integrity": "sha512-ZBUtgyjTHlz8TPJh7kfwwwFma+ktr6OccB1oXC8fMSopD0AxVnQasgun3l3099wIsAB9eEsJDQ/3lDkOLs1gBA==",
-      "cpu": [
-        "ia32"
-      ],
-      "dev": true,
-      "optional": true,
-      "os": [
-        "win32"
-      ],
-      "peer": true,
-      "engines": {
-        "node": ">=10"
-      }
-    },
-    "node_modules/@swc/core-win32-x64-msvc": {
-      "version": "1.3.107",
-      "resolved": "https://registry.npmjs.org/@swc/core-win32-x64-msvc/-/core-win32-x64-msvc-1.3.107.tgz",
-      "integrity": "sha512-Eyzo2XRqWOxqhE1gk9h7LWmUf4Bp4Xn2Ttb0ayAXFp6YSTxQIThXcT9kipXZqcpxcmDwoq8iWbbf2P8XL743EA==",
-      "cpu": [
-        "x64"
-      ],
-      "dev": true,
-      "optional": true,
-      "os": [
-        "win32"
-      ],
-      "peer": true,
-      "engines": {
-        "node": ">=10"
-      }
-    },
    "node_modules/@swc/counter": {
      "version": "0.1.3",
      "resolved": "https://registry.npmjs.org/@swc/counter/-/counter-0.1.3.tgz",
@@ -13183,14 +13011,6 @@
        "tslib": "^2.8.0"
      }
    },
-    "node_modules/@swc/types": {
-      "version": "0.1.5",
-      "resolved": "https://registry.npmjs.org/@swc/types/-/types-0.1.5.tgz",
-      "integrity": "sha512-myfUej5naTBWnqOCc/MdVOLVjXUXtIA+NpDrDBKJtLLg2shUjBu3cZmB/85RyitKc55+lUUyl7oRfLOvkr2hsw==",
-      "dev": true,
-      "optional": true,
-      "peer": true
-    },
    "node_modules/@techteamer/ocsp": {
      "version": "1.0.1",
      "resolved": "https://registry.npmjs.org/@techteamer/ocsp/-/ocsp-1.0.1.tgz",
@@ -15195,6 +15015,18 @@
        "proxy-from-env": "^1.1.0"
      }
    },
+    "node_modules/axios-ntlm": {
+      "version": "1.4.4",
+      "resolved": "https://registry.npmjs.org/axios-ntlm/-/axios-ntlm-1.4.4.tgz",
+      "integrity": "sha512-kpCRdzMfL8gi0Z0o96P3QPAK4XuC8iciGgxGXe+PeQ4oyjI2LZN8WSOKbu0Y9Jo3T/A7pB81n6jYVPIpglEuRA==",
+      "license": "MIT",
+      "dependencies": {
+        "axios": "^1.8.4",
+        "des.js": "^1.1.0",
+        "dev-null": "^0.1.1",
+        "js-md4": "^0.3.2"
+      }
+    },
    "node_modules/axios-retry": {
      "version": "4.0.0",
      "resolved": "https://registry.npmjs.org/axios-retry/-/axios-retry-4.0.0.tgz",
@@ -16954,6 +16786,16 @@
      "resolved": "https://registry.npmjs.org/deprecation/-/deprecation-2.3.1.tgz",
      "integrity": "sha512-xmHIy4F3scKVwMsQ4WnVaS8bHOx0DmVwRywosKhaILI0ywMDWPtBSku2HNxRvF7jtwDRsoEwYQSfbxj8b7RlJQ=="
    },
+    "node_modules/des.js": {
+      "version": "1.1.0",
+      "resolved": "https://registry.npmjs.org/des.js/-/des.js-1.1.0.tgz",
+      "integrity": "sha512-r17GxjhUCjSRy8aiJpr8/UadFIzMzJGexI3Nmz4ADi9LYSFx4gTBp80+NaX/YsXWWLhpZ7v/v/ubEc/bCNfKwg==",
+      "license": "MIT",
+      "dependencies": {
+        "inherits": "^2.0.1",
+        "minimalistic-assert": "^1.0.0"
+      }
+    },
    "node_modules/destroy": {
      "version": "1.2.0",
      "resolved": "https://registry.npmjs.org/destroy/-/destroy-1.2.0.tgz",
@@ -16981,6 +16823,12 @@
        "node": ">=8"
      }
    },
+    "node_modules/dev-null": {
+      "version": "0.1.1",
+      "resolved": "https://registry.npmjs.org/dev-null/-/dev-null-0.1.1.tgz",
+      "integrity": "sha512-nMNZG0zfMgmdv8S5O0TM5cpwNbGKRGPCxVsr0SmA3NZZy9CYBbuNLL0PD3Acx9e5LIUgwONXtM9kM6RlawPxEQ==",
+      "license": "MIT"
+    },
    "node_modules/diff": {
      "version": "4.0.2",
      "resolved": "https://registry.npmjs.org/diff/-/diff-4.0.2.tgz",
@@ -19029,49 +18877,6 @@
      "resolved": "https://registry.npmjs.org/ms/-/ms-2.1.2.tgz",
      "integrity": "sha512-sGkPx+VjMtmA6MX27oA4FBFELFCZZ4S4XqeGOXCv68tT+jb3vk/RyaKWP0PTKyWtmLSM0b+adUTEvbs1PEaH2w=="
    },
-    "node_modules/gcp-metadata": {
-      "version": "5.3.0",
-      "resolved": "https://registry.npmjs.org/gcp-metadata/-/gcp-metadata-5.3.0.tgz",
-      "integrity": "sha512-FNTkdNEnBdlqF2oatizolQqNANMrcqJt6AAYt99B3y1aLLC8Hc5IOBb+ZnnzllodEEf6xMBp6wRcBbc16fa65w==",
-      "optional": true,
-      "peer": true,
-      "dependencies": {
-        "gaxios": "^5.0.0",
-        "json-bigint": "^1.0.0"
-      },
-      "engines": {
-        "node": ">=12"
-      }
-    },
-    "node_modules/gcp-metadata/node_modules/gaxios": {
-      "version": "5.1.3",
-      "resolved": "https://registry.npmjs.org/gaxios/-/gaxios-5.1.3.tgz",
-      "integrity": "sha512-95hVgBRgEIRQQQHIbnxBXeHbW4TqFk4ZDJW7wmVtvYar72FdhRIo1UGOLS2eRAKCPEdPBWu+M7+A33D9CdX9rA==",
-      "optional": true,
-      "peer": true,
-      "dependencies": {
-        "extend": "^3.0.2",
-        "https-proxy-agent": "^5.0.0",
-        "is-stream": "^2.0.0",
-        "node-fetch": "^2.6.9"
-      },
-      "engines": {
-        "node": ">=12"
-      }
-    },
-    "node_modules/gcp-metadata/node_modules/is-stream": {
-      "version": "2.0.1",
-      "resolved": "https://registry.npmjs.org/is-stream/-/is-stream-2.0.1.tgz",
-      "integrity": "sha512-hFoiJiTl63nn+kstHGBtewWSKnQLpyb155KHheA1l39uvtO9nWIop1p3udqPcUd/xbF1VLMO4n7OI6p7RbngDg==",
-      "optional": true,
-      "peer": true,
-      "engines": {
-        "node": ">=8"
-      },
-      "funding": {
-        "url": "https://github.com/sponsors/sindresorhus"
-      }
-    },
    "node_modules/generate-function": {
      "version": "2.3.1",
      "resolved": "https://registry.npmjs.org/generate-function/-/generate-function-2.3.1.tgz",
@@ -29562,9 +29367,10 @@
      }
    },
    "node_modules/toad-cache": {
-      "version": "3.3.0",
-      "resolved": "https://registry.npmjs.org/toad-cache/-/toad-cache-3.3.0.tgz",
-      "integrity": "sha512-3oDzcogWGHZdkwrHyvJVpPjA7oNzY6ENOV3PsWJY9XYPZ6INo94Yd47s5may1U+nleBPwDhrRiTPMIvKaa3MQg==",
+      "version": "3.7.0",
+      "resolved": "https://registry.npmjs.org/toad-cache/-/toad-cache-3.7.0.tgz",
+      "integrity": "sha512-/m8M+2BJUpoJdgAHoG+baCwBT+tf2VraSfkBgl0Y00qIWt41DJ8R5B8nsEw0I58YwF5IZH6z24/2TobDKnqSWw==",
+      "license": "MIT",
      "engines": {
        "node": ">=12"
      }
--- a/backend/package.json
+++ b/backend/package.json
@@ -37,7 +37,7 @@
    "build": "tsup --sourcemap",
    "build:frontend": "npm run build --prefix ../frontend",
    "start": "node --enable-source-maps dist/main.mjs",
-    "type:check": "tsc --noEmit",
+    "type:check": "node --max-old-space-size=8192 ./node_modules/.bin/tsc --noEmit",
    "lint:fix": "node --max-old-space-size=8192 ./node_modules/.bin/eslint --fix --ext js,ts ./src",
    "lint": "node --max-old-space-size=8192 ./node_modules/.bin/eslint 'src/**/*.ts'",
    "test:unit": "vitest run -c vitest.unit.config.ts",
@@ -145,6 +145,7 @@
    "@fastify/multipart": "8.3.1",
    "@fastify/passport": "^2.4.0",
    "@fastify/rate-limit": "^9.0.0",
+    "@fastify/reply-from": "^9.8.0",
    "@fastify/request-context": "^5.1.0",
    "@fastify/session": "^10.7.0",
    "@fastify/static": "^7.0.4",
@@ -183,6 +184,7 @@
    "argon2": "^0.31.2",
    "aws-sdk": "^2.1553.0",
    "axios": "^1.11.0",
+    "axios-ntlm": "^1.4.4",
    "axios-retry": "^4.0.0",
    "bcrypt": "^5.1.1",
    "botbuilder": "^4.23.2",
--- a/backend/src/@types/fastify.d.ts
+++ b/backend/src/@types/fastify.d.ts
@@ -83,6 +83,7 @@ import { TIdentityUaServiceFactory } from "@app/services/identity-ua/identity-ua
 import { TIntegrationServiceFactory } from "@app/services/integration/integration-service";
 import { TIntegrationAuthServiceFactory } from "@app/services/integration-auth/integration-auth-service";
 import { TMicrosoftTeamsServiceFactory } from "@app/services/microsoft-teams/microsoft-teams-service";
+import { TOfflineUsageReportServiceFactory } from "@app/services/offline-usage-report/offline-usage-report-service";
 import { TOrgRoleServiceFactory } from "@app/services/org/org-role-service";
 import { TOrgServiceFactory } from "@app/services/org/org-service";
 import { TOrgAdminServiceFactory } from "@app/services/org-admin/org-admin-service";
@@ -161,6 +162,7 @@ declare module "fastify" {
    };
    // identity injection. depending on which kinda of token the information is filled in auth
    auth: TAuthMode;
+    shouldForwardWritesToPrimaryInstance: boolean;
    permission: {
      authMethod: ActorAuthMethod;
      type: ActorType;
@@ -303,6 +305,7 @@ declare module "fastify" {
      bus: TEventBusService;
      sse: TServerSentEventsService;
      identityAuthTemplate: TIdentityAuthTemplateServiceFactory;
+      offlineUsageReport: TOfflineUsageReportServiceFactory;
    };
    // this is exclusive use for middlewares in which we need to inject data
    // everywhere else access using service layer
--- a/backend/src/db/migrations/20250815022242_identity-lockouts.ts
+++ b/backend/src/db/migrations/20250815022242_identity-lockouts.ts
@@ -0,0 +1,57 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  if (await knex.schema.hasTable(TableName.IdentityUniversalAuth)) {
+    const hasLockoutEnabled = await knex.schema.hasColumn(TableName.IdentityUniversalAuth, "lockoutEnabled");
+    const hasLockoutThreshold = await knex.schema.hasColumn(TableName.IdentityUniversalAuth, "lockoutThreshold");
+    const hasLockoutDuration = await knex.schema.hasColumn(TableName.IdentityUniversalAuth, "lockoutDurationSeconds");
+    const hasLockoutCounterReset = await knex.schema.hasColumn(
+      TableName.IdentityUniversalAuth,
+      "lockoutCounterResetSeconds"
+    );
+
+    await knex.schema.alterTable(TableName.IdentityUniversalAuth, (t) => {
+      if (!hasLockoutEnabled) {
+        t.boolean("lockoutEnabled").notNullable().defaultTo(true);
+      }
+      if (!hasLockoutThreshold) {
+        t.integer("lockoutThreshold").notNullable().defaultTo(3);
+      }
+      if (!hasLockoutDuration) {
+        t.integer("lockoutDurationSeconds").notNullable().defaultTo(300); // 5 minutes
+      }
+      if (!hasLockoutCounterReset) {
+        t.integer("lockoutCounterResetSeconds").notNullable().defaultTo(30); // 30 seconds
+      }
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  if (await knex.schema.hasTable(TableName.IdentityUniversalAuth)) {
+    const hasLockoutEnabled = await knex.schema.hasColumn(TableName.IdentityUniversalAuth, "lockoutEnabled");
+    const hasLockoutThreshold = await knex.schema.hasColumn(TableName.IdentityUniversalAuth, "lockoutThreshold");
+    const hasLockoutDuration = await knex.schema.hasColumn(TableName.IdentityUniversalAuth, "lockoutDurationSeconds");
+    const hasLockoutCounterReset = await knex.schema.hasColumn(
+      TableName.IdentityUniversalAuth,
+      "lockoutCounterResetSeconds"
+    );
+
+    await knex.schema.alterTable(TableName.IdentityUniversalAuth, (t) => {
+      if (hasLockoutEnabled) {
+        t.dropColumn("lockoutEnabled");
+      }
+      if (hasLockoutThreshold) {
+        t.dropColumn("lockoutThreshold");
+      }
+      if (hasLockoutDuration) {
+        t.dropColumn("lockoutDurationSeconds");
+      }
+      if (hasLockoutCounterReset) {
+        t.dropColumn("lockoutCounterResetSeconds");
+      }
+    });
+  }
+}
--- a/backend/src/db/migrations/20250826190000_add-properties-to-pki-subscriber.ts
+++ b/backend/src/db/migrations/20250826190000_add-properties-to-pki-subscriber.ts
@@ -0,0 +1,23 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasPropertiesCol = await knex.schema.hasColumn(TableName.PkiSubscriber, "properties");
+
+  if (!hasPropertiesCol) {
+    await knex.schema.alterTable(TableName.PkiSubscriber, (t) => {
+      t.jsonb("properties").nullable();
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasPropertiesCol = await knex.schema.hasColumn(TableName.PkiSubscriber, "properties");
+
+  if (hasPropertiesCol) {
+    await knex.schema.alterTable(TableName.PkiSubscriber, (t) => {
+      t.dropColumn("properties");
+    });
+  }
+}
--- a/backend/src/db/schemas/identity-universal-auths.ts
+++ b/backend/src/db/schemas/identity-universal-auths.ts
@@ -18,7 +18,11 @@ export const IdentityUniversalAuthsSchema = z.object({
  createdAt: z.date(),
  updatedAt: z.date(),
  identityId: z.string().uuid(),
-  accessTokenPeriod: z.coerce.number().default(0)
+  accessTokenPeriod: z.coerce.number().default(0),
+  lockoutEnabled: z.boolean().default(true),
+  lockoutThreshold: z.number().default(3),
+  lockoutDurationSeconds: z.number().default(300),
+  lockoutCounterResetSeconds: z.number().default(30)
 });

 export type TIdentityUniversalAuths = z.infer<typeof IdentityUniversalAuthsSchema>;
--- a/backend/src/db/schemas/pki-subscribers.ts
+++ b/backend/src/db/schemas/pki-subscribers.ts
@@ -25,7 +25,8 @@ export const PkiSubscribersSchema = z.object({
  lastAutoRenewAt: z.date().nullable().optional(),
  lastOperationStatus: z.string().nullable().optional(),
  lastOperationMessage: z.string().nullable().optional(),
-  lastOperationAt: z.date().nullable().optional()
+  lastOperationAt: z.date().nullable().optional(),
+  properties: z.unknown().nullable().optional()
 });

 export type TPkiSubscribers = z.infer<typeof PkiSubscribersSchema>;
--- a/backend/src/ee/routes/v1/github-org-sync-router.ts
+++ b/backend/src/ee/routes/v1/github-org-sync-router.ts
@@ -126,4 +126,39 @@ export const registerGithubOrgSyncRouter = async (server: FastifyZodProvider) =>
      return { githubOrgSyncConfig };
    }
  });
+
+  server.route({
+    url: "/sync-all-teams",
+    method: "POST",
+    config: {
+      rateLimit: writeLimit
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    schema: {
+      response: {
+        200: z.object({
+          totalUsers: z.number(),
+          errors: z.array(z.string()),
+          createdTeams: z.array(z.string()),
+          updatedTeams: z.array(z.string()),
+          removedMemberships: z.number(),
+          syncDuration: z.number()
+        })
+      }
+    },
+    handler: async (req) => {
+      const result = await server.services.githubOrgSync.syncAllTeams({
+        orgPermission: req.permission
+      });
+
+      return {
+        totalUsers: result.totalUsers,
+        errors: result.errors,
+        createdTeams: result.createdTeams,
+        updatedTeams: result.updatedTeams,
+        removedMemberships: result.removedMemberships,
+        syncDuration: result.syncDuration
+      };
+    }
+  });
 };
--- a/backend/src/ee/services/audit-log/audit-log-service.ts
+++ b/backend/src/ee/services/audit-log/audit-log-service.ts
@@ -6,9 +6,9 @@ import { getConfig } from "@app/lib/config/env";
 import { BadRequestError } from "@app/lib/errors";
 import { ActorType } from "@app/services/auth/auth-type";

-import { OrgPermissionActions, OrgPermissionSubjects } from "../permission/org-permission";
+import { OrgPermissionAuditLogsActions, OrgPermissionSubjects } from "../permission/org-permission";
 import { TPermissionServiceFactory } from "../permission/permission-service-types";
-import { ProjectPermissionActions, ProjectPermissionSub } from "../permission/project-permission";
+import { ProjectPermissionAuditLogsActions, ProjectPermissionSub } from "../permission/project-permission";
 import { TAuditLogDALFactory } from "./audit-log-dal";
 import { TAuditLogQueueServiceFactory } from "./audit-log-queue";
 import { EventType, TAuditLogServiceFactory } from "./audit-log-types";
@@ -41,7 +41,10 @@ export const auditLogServiceFactory = ({
        actorOrgId,
        actionProjectType: ActionProjectType.Any
      });
-      ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.AuditLogs);
+      ForbiddenError.from(permission).throwUnlessCan(
+        ProjectPermissionAuditLogsActions.Read,
+        ProjectPermissionSub.AuditLogs
+      );
    } else {
      // Organization-wide logs
      const { permission } = await permissionService.getOrgPermission(
@@ -52,7 +55,10 @@ export const auditLogServiceFactory = ({
        actorOrgId
      );

-      ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.AuditLogs);
+      ForbiddenError.from(permission).throwUnlessCan(
+        OrgPermissionAuditLogsActions.Read,
+        OrgPermissionSubjects.AuditLogs
+      );
    }

    // If project ID is not provided, then we need to return all the audit logs for the organization itself.
--- a/backend/src/ee/services/audit-log/audit-log-types.ts
+++ b/backend/src/ee/services/audit-log/audit-log-types.ts
@@ -198,6 +198,7 @@ export enum EventType {

  CREATE_IDENTITY_UNIVERSAL_AUTH_CLIENT_SECRET = "create-identity-universal-auth-client-secret",
  REVOKE_IDENTITY_UNIVERSAL_AUTH_CLIENT_SECRET = "revoke-identity-universal-auth-client-secret",
+  CLEAR_IDENTITY_UNIVERSAL_AUTH_LOCKOUTS = "clear-identity-universal-auth-lockouts",

  GET_IDENTITY_UNIVERSAL_AUTH_CLIENT_SECRETS = "get-identity-universal-auth-client-secret",
  GET_IDENTITY_UNIVERSAL_AUTH_CLIENT_SECRET_BY_ID = "get-identity-universal-auth-client-secret-by-id",
@@ -281,6 +282,7 @@ export enum EventType {
  UPDATE_SSH_CERTIFICATE_TEMPLATE = "update-ssh-certificate-template",
  DELETE_SSH_CERTIFICATE_TEMPLATE = "delete-ssh-certificate-template",
  GET_SSH_CERTIFICATE_TEMPLATE = "get-ssh-certificate-template",
+  GET_AZURE_AD_TEMPLATES = "get-azure-ad-templates",
  GET_SSH_HOST = "get-ssh-host",
  CREATE_SSH_HOST = "create-ssh-host",
  UPDATE_SSH_HOST = "update-ssh-host",
@@ -866,6 +868,10 @@ interface AddIdentityUniversalAuthEvent {
    accessTokenMaxTTL: number;
    accessTokenNumUsesLimit: number;
    accessTokenTrustedIps: Array<TIdentityTrustedIp>;
+    lockoutEnabled: boolean;
+    lockoutThreshold: number;
+    lockoutDurationSeconds: number;
+    lockoutCounterResetSeconds: number;
  };
 }

@@ -878,6 +884,10 @@ interface UpdateIdentityUniversalAuthEvent {
    accessTokenMaxTTL?: number;
    accessTokenNumUsesLimit?: number;
    accessTokenTrustedIps?: Array<TIdentityTrustedIp>;
+    lockoutEnabled?: boolean;
+    lockoutThreshold?: number;
+    lockoutDurationSeconds?: number;
+    lockoutCounterResetSeconds?: number;
  };
 }

@@ -1037,6 +1047,13 @@ interface RevokeIdentityUniversalAuthClientSecretEvent {
  };
 }

+interface ClearIdentityUniversalAuthLockoutsEvent {
+  type: EventType.CLEAR_IDENTITY_UNIVERSAL_AUTH_LOCKOUTS;
+  metadata: {
+    identityId: string;
+  };
+}
+
 interface LoginIdentityGcpAuthEvent {
  type: EventType.LOGIN_IDENTITY_GCP_AUTH;
  metadata: {
@@ -2497,6 +2514,14 @@ interface CreateCertificateTemplateEstConfig {
  };
 }

+interface GetAzureAdCsTemplatesEvent {
+  type: EventType.GET_AZURE_AD_TEMPLATES;
+  metadata: {
+    caId: string;
+    amount: number;
+  };
+}
+
 interface UpdateCertificateTemplateEstConfig {
  type: EventType.UPDATE_CERTIFICATE_TEMPLATE_EST_CONFIG;
  metadata: {
@@ -3491,6 +3516,7 @@ export type Event =
  | GetIdentityUniversalAuthClientSecretsEvent
  | GetIdentityUniversalAuthClientSecretByIdEvent
  | RevokeIdentityUniversalAuthClientSecretEvent
+  | ClearIdentityUniversalAuthLockoutsEvent
  | LoginIdentityGcpAuthEvent
  | AddIdentityGcpAuthEvent
  | DeleteIdentityGcpAuthEvent
@@ -3636,6 +3662,7 @@ export type Event =
  | CreateCertificateTemplateEstConfig
  | UpdateCertificateTemplateEstConfig
  | GetCertificateTemplateEstConfig
+  | GetAzureAdCsTemplatesEvent
  | AttemptCreateSlackIntegration
  | AttemptReinstallSlackIntegration
  | UpdateSlackIntegration
--- a/backend/src/ee/services/github-org-sync/github-org-sync-service.ts
+++ b/backend/src/ee/services/github-org-sync/github-org-sync-service.ts
@@ -1,14 +1,19 @@
+/* eslint-disable @typescript-eslint/return-await */
+/* eslint-disable no-await-in-loop */
 import { ForbiddenError } from "@casl/ability";
 import { Octokit } from "@octokit/core";
 import { paginateGraphql } from "@octokit/plugin-paginate-graphql";
 import { Octokit as OctokitRest } from "@octokit/rest";
+import RE2 from "re2";

 import { OrgMembershipRole } from "@app/db/schemas";
 import { BadRequestError, NotFoundError } from "@app/lib/errors";
 import { groupBy } from "@app/lib/fn";
 import { logger } from "@app/lib/logger";
+import { retryWithBackoff } from "@app/lib/retry";
 import { TKmsServiceFactory } from "@app/services/kms/kms-service";
 import { KmsDataKey } from "@app/services/kms/kms-types";
+import { TOrgMembershipDALFactory } from "@app/services/org-membership/org-membership-dal";

 import { TGroupDALFactory } from "../group/group-dal";
 import { TUserGroupMembershipDALFactory } from "../group/user-group-membership-dal";
@@ -16,20 +21,67 @@ import { TLicenseServiceFactory } from "../license/license-service";
 import { OrgPermissionActions, OrgPermissionSubjects } from "../permission/org-permission";
 import { TPermissionServiceFactory } from "../permission/permission-service-types";
 import { TGithubOrgSyncDALFactory } from "./github-org-sync-dal";
-import { TCreateGithubOrgSyncDTO, TDeleteGithubOrgSyncDTO, TUpdateGithubOrgSyncDTO } from "./github-org-sync-types";
+import {
+  TCreateGithubOrgSyncDTO,
+  TDeleteGithubOrgSyncDTO,
+  TSyncAllTeamsDTO,
+  TSyncResult,
+  TUpdateGithubOrgSyncDTO,
+  TValidateGithubTokenDTO
+} from "./github-org-sync-types";

 const OctokitWithPlugin = Octokit.plugin(paginateGraphql);

+// Type definitions for GitHub API errors
+interface GitHubApiError extends Error {
+  status?: number;
+  response?: {
+    status?: number;
+    headers?: {
+      "x-ratelimit-reset"?: string;
+    };
+  };
+}
+
+interface OrgMembershipWithUser {
+  id: string;
+  orgId: string;
+  role: string;
+  status: string;
+  isActive: boolean;
+  inviteEmail: string | null;
+  user: {
+    id: string;
+    email: string;
+    username: string | null;
+    firstName: string | null;
+    lastName: string | null;
+  } | null;
+}
+
+interface GroupMembership {
+  id: string;
+  groupId: string;
+  groupName: string;
+  orgMembershipId: string;
+  firstName: string | null;
+  lastName: string | null;
+}
+
 type TGithubOrgSyncServiceFactoryDep = {
  githubOrgSyncDAL: TGithubOrgSyncDALFactory;
  permissionService: Pick<TPermissionServiceFactory, "getOrgPermission">;
  kmsService: Pick<TKmsServiceFactory, "createCipherPairWithDataKey">;
  userGroupMembershipDAL: Pick<
    TUserGroupMembershipDALFactory,
-    "findGroupMembershipsByUserIdInOrg" | "insertMany" | "delete"
+    "findGroupMembershipsByUserIdInOrg" | "findGroupMembershipsByGroupIdInOrg" | "insertMany" | "delete"
  >;
  groupDAL: Pick<TGroupDALFactory, "insertMany" | "transaction" | "find">;
  licenseService: Pick<TLicenseServiceFactory, "getPlan">;
+  orgMembershipDAL: Pick<
+    TOrgMembershipDALFactory,
+    "find" | "findOrgMembershipById" | "findOrgMembershipsWithUsersByOrgId"
+  >;
 };

 export type TGithubOrgSyncServiceFactory = ReturnType<typeof githubOrgSyncServiceFactory>;
@@ -40,7 +92,8 @@ export const githubOrgSyncServiceFactory = ({
  kmsService,
  userGroupMembershipDAL,
  groupDAL,
-  licenseService
+  licenseService,
+  orgMembershipDAL
 }: TGithubOrgSyncServiceFactoryDep) => {
  const createGithubOrgSync = async ({
    githubOrgName,
@@ -304,8 +357,8 @@ export const githubOrgSyncServiceFactory = ({
    const removeFromTeams = infisicalUserGroups.filter((el) => !githubUserTeamSet.has(el.groupName));

    if (newTeams.length || updateTeams.length || removeFromTeams.length) {
-      await groupDAL.transaction(async (tx) => {
-        if (newTeams.length) {
+      if (newTeams.length) {
+        await groupDAL.transaction(async (tx) => {
          const newGroups = await groupDAL.insertMany(
            newTeams.map((newGroupName) => ({
              name: newGroupName,
@@ -322,9 +375,11 @@ export const githubOrgSyncServiceFactory = ({
            })),
            tx
          );
-        }
+        });
+      }

-        if (updateTeams.length) {
+      if (updateTeams.length) {
+        await groupDAL.transaction(async (tx) => {
          await userGroupMembershipDAL.insertMany(
            updateTeams.map((el) => ({
              groupId: githubUserTeamOnInfisicalGroupByName[el][0].id,
@@ -332,16 +387,433 @@ export const githubOrgSyncServiceFactory = ({
            })),
            tx
          );
-        }
+        });
+      }

-        if (removeFromTeams.length) {
+      if (removeFromTeams.length) {
+        await groupDAL.transaction(async (tx) => {
          await userGroupMembershipDAL.delete(
            { userId, $in: { groupId: removeFromTeams.map((el) => el.groupId) } },
            tx
          );
-        }
+        });
+      }
+    }
+  };
+
+  const validateGithubToken = async ({ orgPermission, githubOrgAccessToken }: TValidateGithubTokenDTO) => {
+    const { permission } = await permissionService.getOrgPermission(
+      orgPermission.type,
+      orgPermission.id,
+      orgPermission.orgId,
+      orgPermission.authMethod,
+      orgPermission.orgId
+    );
+
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.GithubOrgSync);
+
+    const plan = await licenseService.getPlan(orgPermission.orgId);
+    if (!plan.githubOrgSync) {
+      throw new BadRequestError({
+        message:
+          "Failed to validate GitHub token due to plan restriction. Upgrade plan to use GitHub organization sync."
      });
    }
+
+    const config = await githubOrgSyncDAL.findOne({ orgId: orgPermission.orgId });
+    if (!config) {
+      throw new BadRequestError({ message: "GitHub organization sync is not configured" });
+    }
+
+    try {
+      const testOctokit = new OctokitRest({
+        auth: githubOrgAccessToken,
+        request: {
+          signal: AbortSignal.timeout(10000)
+        }
+      });
+
+      const { data: org } = await testOctokit.rest.orgs.get({
+        org: config.githubOrgName
+      });
+
+      const octokitGraphQL = new OctokitWithPlugin({
+        auth: githubOrgAccessToken,
+        request: {
+          signal: AbortSignal.timeout(10000)
+        }
+      });
+
+      await octokitGraphQL.graphql(`query($org: String!) { organization(login: $org) { id name } }`, {
+        org: config.githubOrgName
+      });
+
+      return {
+        valid: true,
+        organizationInfo: {
+          id: org.id,
+          login: org.login,
+          name: org.name || org.login,
+          publicRepos: org.public_repos,
+          privateRepos: org.owned_private_repos || 0
+        }
+      };
+    } catch (error) {
+      logger.error(error, `GitHub token validation failed for org ${config.githubOrgName}`);
+
+      const gitHubError = error as GitHubApiError;
+      const statusCode = gitHubError.status || gitHubError.response?.status;
+      if (statusCode) {
+        if (statusCode === 401) {
+          throw new BadRequestError({
+            message: "GitHub access token is invalid or expired."
+          });
+        }
+        if (statusCode === 403) {
+          throw new BadRequestError({
+            message:
+              "GitHub access token lacks required permissions. Required: 1) 'read:org' scope for organization teams, 2) Token owner must be an organization member with team visibility access, 3) Organization settings must allow team visibility. Check GitHub token scopes and organization member permissions."
+          });
+        }
+        if (statusCode === 404) {
+          throw new BadRequestError({
+            message: `Organization '${config.githubOrgName}' not found or access token does not have access to it.`
+          });
+        }
+      }
+
+      throw new BadRequestError({
+        message: `GitHub token validation failed: ${(error as Error).message}`
+      });
+    }
+  };
+
+  const syncAllTeams = async ({ orgPermission }: TSyncAllTeamsDTO): Promise<TSyncResult> => {
+    const { permission } = await permissionService.getOrgPermission(
+      orgPermission.type,
+      orgPermission.id,
+      orgPermission.orgId,
+      orgPermission.authMethod,
+      orgPermission.orgId
+    );
+
+    ForbiddenError.from(permission).throwUnlessCan(
+      OrgPermissionActions.Edit,
+      OrgPermissionSubjects.GithubOrgSyncManual
+    );
+
+    const plan = await licenseService.getPlan(orgPermission.orgId);
+    if (!plan.githubOrgSync) {
+      throw new BadRequestError({
+        message:
+          "Failed to sync all GitHub teams due to plan restriction. Upgrade plan to use GitHub organization sync."
+      });
+    }
+
+    const config = await githubOrgSyncDAL.findOne({ orgId: orgPermission.orgId });
+    if (!config || !config?.isActive) {
+      throw new BadRequestError({ message: "GitHub organization sync is not configured or not active" });
+    }
+
+    const { decryptor } = await kmsService.createCipherPairWithDataKey({
+      type: KmsDataKey.Organization,
+      orgId: orgPermission.orgId
+    });
+
+    if (!config.encryptedGithubOrgAccessToken) {
+      throw new BadRequestError({
+        message: "GitHub organization access token is required. Please set a token first."
+      });
+    }
+
+    const orgAccessToken = decryptor({ cipherTextBlob: config.encryptedGithubOrgAccessToken }).toString();
+
+    try {
+      const testOctokit = new OctokitRest({
+        auth: orgAccessToken,
+        request: {
+          signal: AbortSignal.timeout(10000)
+        }
+      });
+
+      await testOctokit.rest.orgs.get({
+        org: config.githubOrgName
+      });
+
+      await testOctokit.rest.users.getAuthenticated();
+    } catch (error) {
+      throw new BadRequestError({
+        message: "Stored GitHub access token is invalid or expired. Please set a new token."
+      });
+    }
+
+    const allMembers = await orgMembershipDAL.findOrgMembershipsWithUsersByOrgId(orgPermission.orgId);
+    const activeMembers = allMembers.filter(
+      (member) => member.status === "accepted" && member.isActive
+    ) as OrgMembershipWithUser[];
+
+    const startTime = Date.now();
+    const syncErrors: string[] = [];
+
+    const octokit = new OctokitWithPlugin({
+      auth: orgAccessToken,
+      request: {
+        signal: AbortSignal.timeout(30000)
+      }
+    });
+
+    const data = await retryWithBackoff(async () => {
+      return octokit.graphql
+        .paginate<{
+          organization: {
+            teams: {
+              totalCount: number;
+              edges: {
+                node: {
+                  name: string;
+                  description: string;
+                  members: {
+                    edges: {
+                      node: {
+                        login: string;
+                      };
+                    }[];
+                  };
+                };
+              }[];
+            };
+          };
+        }>(
+          `
+        query orgTeams($cursor: String, $org: String!) {
+          organization(login: $org) {
+            teams(first: 100, after: $cursor) {
+              totalCount
+              edges {
+                node {
+                  name
+                  description
+                  members(first: 100) {
+                    edges {
+                      node {
+                        login
+                      }
+                    }
+                  }
+                }
+              }
+              pageInfo {
+                hasNextPage
+                endCursor
+              }
+            }
+          }
+        }
+        `,
+          {
+            org: config.githubOrgName
+          }
+        )
+        .catch((err) => {
+          logger.error(err, "GitHub GraphQL error for batched team sync");
+
+          const gitHubError = err as GitHubApiError;
+          const statusCode = gitHubError.status || gitHubError.response?.status;
+          if (statusCode) {
+            if (statusCode === 401) {
+              throw new BadRequestError({
+                message: "GitHub access token is invalid or expired. Please provide a new token."
+              });
+            }
+            if (statusCode === 403) {
+              throw new BadRequestError({
+                message:
+                  "GitHub access token lacks required permissions for organization team sync. Required: 1) 'admin:org' scope, 2) Token owner must be organization owner or have team read permissions, 3) Organization settings must allow team visibility. Check token scopes and user role."
+              });
+            }
+            if (statusCode === 404) {
+              throw new BadRequestError({
+                message: `Organization ${config.githubOrgName} not found or access token does not have sufficient permissions to read it.`
+              });
+            }
+          }
+
+          if ((err as Error)?.message?.includes("Although you appear to have the correct authorization credential")) {
+            throw new BadRequestError({
+              message:
+                "Organization has restricted OAuth app access. Please check that: 1) Your organization has approved the Infisical OAuth application, 2) The token owner has sufficient organization permissions."
+            });
+          }
+          throw new BadRequestError({ message: `GitHub GraphQL query failed: ${(err as Error)?.message}` });
+        });
+    });
+
+    const {
+      organization: { teams }
+    } = data;
+
+    const userTeamMap = new Map<string, string[]>();
+    const allGithubUsernamesInTeams = new Set<string>();
+
+    teams?.edges?.forEach((teamEdge) => {
+      const teamName = teamEdge.node.name.toLowerCase();
+
+      teamEdge.node.members.edges.forEach((memberEdge) => {
+        const username = memberEdge.node.login.toLowerCase();
+        allGithubUsernamesInTeams.add(username);
+
+        if (!userTeamMap.has(username)) {
+          userTeamMap.set(username, []);
+        }
+        userTeamMap.get(username)!.push(teamName);
+      });
+    });
+
+    const allGithubTeamNames = Array.from(new Set(teams?.edges?.map((edge) => edge.node.name.toLowerCase()) || []));
+
+    const existingTeamsOnInfisical = await groupDAL.find({
+      orgId: orgPermission.orgId,
+      $in: { name: allGithubTeamNames }
+    });
+    const existingTeamsMap = groupBy(existingTeamsOnInfisical, (i) => i.name);
+
+    const teamsToCreate = allGithubTeamNames.filter((teamName) => !(teamName in existingTeamsMap));
+    const createdTeams = new Set<string>();
+    const updatedTeams = new Set<string>();
+    const totalRemovedMemberships = 0;
+
+    await groupDAL.transaction(async (tx) => {
+      if (teamsToCreate.length > 0) {
+        const newGroups = await groupDAL.insertMany(
+          teamsToCreate.map((teamName) => ({
+            name: teamName,
+            role: OrgMembershipRole.Member,
+            slug: teamName,
+            orgId: orgPermission.orgId
+          })),
+          tx
+        );
+
+        newGroups.forEach((group) => {
+          if (!existingTeamsMap[group.name]) {
+            existingTeamsMap[group.name] = [];
+          }
+          existingTeamsMap[group.name].push(group);
+          createdTeams.add(group.name);
+        });
+      }
+
+      const allTeams = [...Object.values(existingTeamsMap).flat()];
+
+      for (const team of allTeams) {
+        const teamName = team.name.toLowerCase();
+
+        const currentMemberships = (await userGroupMembershipDAL.findGroupMembershipsByGroupIdInOrg(
+          team.id,
+          orgPermission.orgId
+        )) as GroupMembership[];
+
+        const expectedUserIds = new Set<string>();
+        teams?.edges?.forEach((teamEdge) => {
+          if (teamEdge.node.name.toLowerCase() === teamName) {
+            teamEdge.node.members.edges.forEach((memberEdge) => {
+              const githubUsername = memberEdge.node.login.toLowerCase();
+
+              const matchingMember = activeMembers.find((member) => {
+                const email = member.user?.email || member.inviteEmail;
+                if (!email) return false;
+
+                const emailPrefix = email.split("@")[0].toLowerCase();
+                const emailDomain = email.split("@")[1].toLowerCase();
+
+                if (emailPrefix === githubUsername) {
+                  return true;
+                }
+                const domainName = emailDomain.split(".")[0];
+                if (githubUsername.endsWith(domainName) && githubUsername.length > domainName.length) {
+                  const baseUsername = githubUsername.slice(0, -domainName.length);
+                  if (emailPrefix === baseUsername) {
+                    return true;
+                  }
+                }
+                const emailSplitRegex = new RE2(/[._-]/);
+                const emailParts = emailPrefix.split(emailSplitRegex);
+                const longestEmailPart = emailParts.reduce((a, b) => (a.length > b.length ? a : b), "");
+                if (longestEmailPart.length >= 4 && githubUsername.includes(longestEmailPart)) {
+                  return true;
+                }
+                return false;
+              });
+
+              if (matchingMember?.user?.id) {
+                expectedUserIds.add(matchingMember.user.id);
+                logger.info(
+                  `Matched GitHub user ${githubUsername} to email ${matchingMember.user?.email || matchingMember.inviteEmail}`
+                );
+              }
+            });
+          }
+        });
+
+        const currentUserIds = new Set<string>();
+        currentMemberships.forEach((membership) => {
+          const activeMember = activeMembers.find((am) => am.id === membership.orgMembershipId);
+          if (activeMember?.user?.id) {
+            currentUserIds.add(activeMember.user.id);
+          }
+        });
+
+        const usersToAdd = Array.from(expectedUserIds).filter((userId) => !currentUserIds.has(userId));
+
+        const membershipsToRemove = currentMemberships.filter((membership) => {
+          const activeMember = activeMembers.find((am) => am.id === membership.orgMembershipId);
+          return activeMember?.user?.id && !expectedUserIds.has(activeMember.user.id);
+        });
+
+        if (usersToAdd.length > 0) {
+          await userGroupMembershipDAL.insertMany(
+            usersToAdd.map((userId) => ({
+              userId,
+              groupId: team.id
+            })),
+            tx
+          );
+          updatedTeams.add(teamName);
+        }
+
+        if (membershipsToRemove.length > 0) {
+          await userGroupMembershipDAL.delete(
+            {
+              $in: {
+                id: membershipsToRemove.map((m) => m.id)
+              }
+            },
+            tx
+          );
+          updatedTeams.add(teamName);
+        }
+      }
+    });
+
+    const syncDuration = Date.now() - startTime;
+
+    logger.info(
+      {
+        orgId: orgPermission.orgId,
+        createdTeams: createdTeams.size,
+        syncDuration
+      },
+      "GitHub team sync completed"
+    );
+
+    return {
+      totalUsers: activeMembers.length,
+      errors: syncErrors,
+      createdTeams: Array.from(createdTeams),
+      updatedTeams: Array.from(updatedTeams),
+      removedMemberships: totalRemovedMemberships,
+      syncDuration
+    };
  };

  return {
@@ -349,6 +821,8 @@ export const githubOrgSyncServiceFactory = ({
    updateGithubOrgSync,
    deleteGithubOrgSync,
    getGithubOrgSync,
-    syncUserGroups
+    syncUserGroups,
+    syncAllTeams,
+    validateGithubToken
  };
 };
--- a/backend/src/ee/services/github-org-sync/github-org-sync-types.ts
+++ b/backend/src/ee/services/github-org-sync/github-org-sync-types.ts
@@ -21,3 +21,21 @@ export interface TDeleteGithubOrgSyncDTO {
 export interface TGetGithubOrgSyncDTO {
  orgPermission: OrgServiceActor;
 }
+
+export interface TSyncAllTeamsDTO {
+  orgPermission: OrgServiceActor;
+}
+
+export interface TSyncResult {
+  totalUsers: number;
+  errors: string[];
+  createdTeams: string[];
+  updatedTeams: string[];
+  removedMemberships: number;
+  syncDuration: number;
+}
+
+export interface TValidateGithubTokenDTO {
+  orgPermission: OrgServiceActor;
+  githubOrgAccessToken: string;
+}
--- a/backend/src/ee/services/license/license-service.ts
+++ b/backend/src/ee/services/license/license-service.ts
@@ -722,6 +722,16 @@ export const licenseServiceFactory = ({
    await keyStore.deleteItem(FEATURE_CACHE_KEY(orgId));
  };

+  const getCustomerId = () => {
+    if (!selfHostedLicense) return "unknown";
+    return selfHostedLicense?.customerId;
+  };
+
+  const getLicenseId = () => {
+    if (!selfHostedLicense) return "unknown";
+    return selfHostedLicense?.licenseId;
+  };
+
  return {
    generateOrgCustomerId,
    removeOrgCustomer,
@@ -736,6 +746,8 @@ export const licenseServiceFactory = ({
      return onPremFeatures;
    },
    getPlan,
+    getCustomerId,
+    getLicenseId,
    invalidateGetPlan,
    updateSubscriptionOrgMemberCount,
    refreshPlan,
--- a/backend/src/ee/services/permission/default-roles.ts
+++ b/backend/src/ee/services/permission/default-roles.ts
@@ -2,6 +2,7 @@ import { AbilityBuilder, createMongoAbility, MongoAbility } from "@casl/ability"

 import {
  ProjectPermissionActions,
+  ProjectPermissionAuditLogsActions,
  ProjectPermissionCertificateActions,
  ProjectPermissionCmekActions,
  ProjectPermissionCommitsActions,
@@ -394,7 +395,7 @@ const buildMemberPermissionRules = () => {
  );

  can([ProjectPermissionActions.Read], ProjectPermissionSub.Role);
-  can([ProjectPermissionActions.Read], ProjectPermissionSub.AuditLogs);
+  can([ProjectPermissionAuditLogsActions.Read], ProjectPermissionSub.AuditLogs);
  can([ProjectPermissionActions.Read], ProjectPermissionSub.IpAllowList);

  // double check if all CRUD are needed for CA and Certificates
@@ -502,7 +503,7 @@ const buildViewerPermissionRules = () => {
  can(ProjectPermissionActions.Read, ProjectPermissionSub.Settings);
  can(ProjectPermissionActions.Read, ProjectPermissionSub.Environments);
  can(ProjectPermissionActions.Read, ProjectPermissionSub.Tags);
-  can(ProjectPermissionActions.Read, ProjectPermissionSub.AuditLogs);
+  can(ProjectPermissionAuditLogsActions.Read, ProjectPermissionSub.AuditLogs);
  can(ProjectPermissionActions.Read, ProjectPermissionSub.IpAllowList);
  can(ProjectPermissionActions.Read, ProjectPermissionSub.CertificateAuthorities);
  can(ProjectPermissionCertificateActions.Read, ProjectPermissionSub.Certificates);
--- a/backend/src/ee/services/permission/org-permission.ts
+++ b/backend/src/ee/services/permission/org-permission.ts
@@ -23,6 +23,10 @@ export enum OrgPermissionAppConnectionActions {
  Connect = "connect"
 }

+export enum OrgPermissionAuditLogsActions {
+  Read = "read"
+}
+
 export enum OrgPermissionKmipActions {
  Proxy = "proxy",
  Setup = "setup"
@@ -90,6 +94,7 @@ export enum OrgPermissionSubjects {
  Sso = "sso",
  Scim = "scim",
  GithubOrgSync = "github-org-sync",
+  GithubOrgSyncManual = "github-org-sync-manual",
  Ldap = "ldap",
  Groups = "groups",
  Billing = "billing",
@@ -119,13 +124,14 @@ export type OrgPermissionSet =
  | [OrgPermissionActions, OrgPermissionSubjects.Sso]
  | [OrgPermissionActions, OrgPermissionSubjects.Scim]
  | [OrgPermissionActions, OrgPermissionSubjects.GithubOrgSync]
+  | [OrgPermissionActions, OrgPermissionSubjects.GithubOrgSyncManual]
  | [OrgPermissionActions, OrgPermissionSubjects.Ldap]
  | [OrgPermissionGroupActions, OrgPermissionSubjects.Groups]
  | [OrgPermissionActions, OrgPermissionSubjects.SecretScanning]
  | [OrgPermissionBillingActions, OrgPermissionSubjects.Billing]
  | [OrgPermissionIdentityActions, OrgPermissionSubjects.Identity]
  | [OrgPermissionActions, OrgPermissionSubjects.Kms]
-  | [OrgPermissionActions, OrgPermissionSubjects.AuditLogs]
+  | [OrgPermissionAuditLogsActions, OrgPermissionSubjects.AuditLogs]
  | [OrgPermissionActions, OrgPermissionSubjects.ProjectTemplates]
  | [OrgPermissionGatewayActions, OrgPermissionSubjects.Gateway]
  | [
@@ -188,6 +194,10 @@ export const OrgPermissionSchema = z.discriminatedUnion("subject", [
    subject: z.literal(OrgPermissionSubjects.GithubOrgSync).describe("The entity this permission pertains to."),
    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(OrgPermissionActions).describe("Describe what action an entity can take.")
  }),
+  z.object({
+    subject: z.literal(OrgPermissionSubjects.GithubOrgSyncManual).describe("The entity this permission pertains to."),
+    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(OrgPermissionActions).describe("Describe what action an entity can take.")
+  }),
  z.object({
    subject: z.literal(OrgPermissionSubjects.Ldap).describe("The entity this permission pertains to."),
    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(OrgPermissionActions).describe("Describe what action an entity can take.")
@@ -214,7 +224,9 @@ export const OrgPermissionSchema = z.discriminatedUnion("subject", [
  }),
  z.object({
    subject: z.literal(OrgPermissionSubjects.AuditLogs).describe("The entity this permission pertains to."),
-    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(OrgPermissionActions).describe("Describe what action an entity can take.")
+    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(OrgPermissionAuditLogsActions).describe(
+      "Describe what action an entity can take."
+    )
  }),
  z.object({
    subject: z.literal(OrgPermissionSubjects.ProjectTemplates).describe("The entity this permission pertains to."),
@@ -309,6 +321,11 @@ const buildAdminPermission = () => {
  can(OrgPermissionActions.Edit, OrgPermissionSubjects.GithubOrgSync);
  can(OrgPermissionActions.Delete, OrgPermissionSubjects.GithubOrgSync);

+  can(OrgPermissionActions.Read, OrgPermissionSubjects.GithubOrgSyncManual);
+  can(OrgPermissionActions.Create, OrgPermissionSubjects.GithubOrgSyncManual);
+  can(OrgPermissionActions.Edit, OrgPermissionSubjects.GithubOrgSyncManual);
+  can(OrgPermissionActions.Delete, OrgPermissionSubjects.GithubOrgSyncManual);
+
  can(OrgPermissionActions.Read, OrgPermissionSubjects.Ldap);
  can(OrgPermissionActions.Create, OrgPermissionSubjects.Ldap);
  can(OrgPermissionActions.Edit, OrgPermissionSubjects.Ldap);
@@ -340,10 +357,7 @@ const buildAdminPermission = () => {
  can(OrgPermissionActions.Edit, OrgPermissionSubjects.Kms);
  can(OrgPermissionActions.Delete, OrgPermissionSubjects.Kms);

-  can(OrgPermissionActions.Read, OrgPermissionSubjects.AuditLogs);
-  can(OrgPermissionActions.Create, OrgPermissionSubjects.AuditLogs);
-  can(OrgPermissionActions.Edit, OrgPermissionSubjects.AuditLogs);
-  can(OrgPermissionActions.Delete, OrgPermissionSubjects.AuditLogs);
+  can(OrgPermissionAuditLogsActions.Read, OrgPermissionSubjects.AuditLogs);

  can(OrgPermissionActions.Read, OrgPermissionSubjects.ProjectTemplates);
  can(OrgPermissionActions.Create, OrgPermissionSubjects.ProjectTemplates);
@@ -416,7 +430,7 @@ const buildMemberPermission = () => {
  can(OrgPermissionIdentityActions.Edit, OrgPermissionSubjects.Identity);
  can(OrgPermissionIdentityActions.Delete, OrgPermissionSubjects.Identity);

-  can(OrgPermissionActions.Read, OrgPermissionSubjects.AuditLogs);
+  can(OrgPermissionAuditLogsActions.Read, OrgPermissionSubjects.AuditLogs);

  can(OrgPermissionAppConnectionActions.Connect, OrgPermissionSubjects.AppConnections);
  can(OrgPermissionGatewayActions.ListGateways, OrgPermissionSubjects.Gateway);
--- a/backend/src/ee/services/permission/project-permission.ts
+++ b/backend/src/ee/services/permission/project-permission.ts
@@ -164,6 +164,10 @@ export enum ProjectPermissionSecretEventActions {
  SubscribeImportMutations = "subscribe-on-import-mutations"
 }

+export enum ProjectPermissionAuditLogsActions {
+  Read = "read"
+}
+
 export enum ProjectPermissionSub {
  Role = "role",
  Member = "member",
@@ -304,7 +308,7 @@ export type ProjectPermissionSet =
  | [ProjectPermissionGroupActions, ProjectPermissionSub.Groups]
  | [ProjectPermissionActions, ProjectPermissionSub.Integrations]
  | [ProjectPermissionActions, ProjectPermissionSub.Webhooks]
-  | [ProjectPermissionActions, ProjectPermissionSub.AuditLogs]
+  | [ProjectPermissionAuditLogsActions, ProjectPermissionSub.AuditLogs]
  | [ProjectPermissionActions, ProjectPermissionSub.Environments]
  | [ProjectPermissionActions, ProjectPermissionSub.IpAllowList]
  | [ProjectPermissionActions, ProjectPermissionSub.Settings]
@@ -645,7 +649,7 @@ const GeneralPermissionSchema = [
  }),
  z.object({
    subject: z.literal(ProjectPermissionSub.AuditLogs).describe("The entity this permission pertains to."),
-    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(ProjectPermissionActions).describe(
+    action: CASL_ACTION_SCHEMA_NATIVE_ENUM(ProjectPermissionAuditLogsActions).describe(
      "Describe what action an entity can take."
    )
  }),
--- a/backend/src/keystore/keystore.ts
+++ b/backend/src/keystore/keystore.ts
@@ -13,7 +13,8 @@ export const PgSqlLock = {
  SecretRotationV2Creation: (folderId: string) => pgAdvisoryLockHashText(`secret-rotation-v2-creation:${folderId}`),
  CreateProject: (orgId: string) => pgAdvisoryLockHashText(`create-project:${orgId}`),
  CreateFolder: (envId: string, projectId: string) => pgAdvisoryLockHashText(`create-folder:${envId}-${projectId}`),
-  SshInit: (projectId: string) => pgAdvisoryLockHashText(`ssh-bootstrap:${projectId}`)
+  SshInit: (projectId: string) => pgAdvisoryLockHashText(`ssh-bootstrap:${projectId}`),
+  IdentityLogin: (identityId: string, nonce: string) => pgAdvisoryLockHashText(`identity-login:${identityId}:${nonce}`)
 } as const;

 // all the key prefixes used must be set here to avoid conflict
@@ -40,6 +41,7 @@ export const KeyStorePrefixes = {
  SecretRotationLock: (rotationId: string) => `secret-rotation-v2-mutex-${rotationId}` as const,
  SecretScanningLock: (dataSourceId: string, resourceExternalId: string) =>
    `secret-scanning-v2-mutex-${dataSourceId}-${resourceExternalId}` as const,
+  IdentityLockoutLock: (lockoutKey: string) => `identity-lockout-lock-${lockoutKey}` as const,
  CaOrderCertificateForSubscriberLock: (subscriberId: string) =>
    `ca-order-certificate-for-subscriber-lock-${subscriberId}` as const,
  SecretSyncLastRunTimestamp: (syncId: string) => `secret-sync-last-run-${syncId}` as const,
--- a/backend/src/lib/api-docs/constants.ts
+++ b/backend/src/lib/api-docs/constants.ts
@@ -166,7 +166,12 @@ export const UNIVERSAL_AUTH = {
    accessTokenNumUsesLimit:
      "The maximum number of times that an access token can be used; a value of 0 implies infinite number of uses.",
    accessTokenPeriod:
-      "The period for an access token in seconds. This value will be referenced at renewal time. Default value is 0."
+      "The period for an access token in seconds. This value will be referenced at renewal time. Default value is 0.",
+    lockoutEnabled: "Whether the lockout feature is enabled.",
+    lockoutThreshold: "The amount of times login must fail before locking the identity auth method.",
+    lockoutDurationSeconds: "How long an identity auth method lockout lasts.",
+    lockoutCounterResetSeconds:
+      "How long to wait from the most recent failed login until resetting the lockout counter."
  },
  RETRIEVE: {
    identityId: "The ID of the identity to retrieve the auth method for."
@@ -181,7 +186,12 @@ export const UNIVERSAL_AUTH = {
    accessTokenTTL: "The new lifetime for an access token in seconds.",
    accessTokenMaxTTL: "The new maximum lifetime for an access token in seconds.",
    accessTokenNumUsesLimit: "The new maximum number of times that an access token can be used.",
-    accessTokenPeriod: "The new period for an access token in seconds."
+    accessTokenPeriod: "The new period for an access token in seconds.",
+    lockoutEnabled: "Whether the lockout feature is enabled.",
+    lockoutThreshold: "The amount of times login must fail before locking the identity auth method.",
+    lockoutDurationSeconds: "How long an identity auth method lockout lasts.",
+    lockoutCounterResetSeconds:
+      "How long to wait from the most recent failed login until resetting the lockout counter."
  },
  CREATE_CLIENT_SECRET: {
    identityId: "The ID of the identity to create a client secret for.",
@@ -201,6 +211,9 @@ export const UNIVERSAL_AUTH = {
    identityId: "The ID of the identity to revoke the client secret from.",
    clientSecretId: "The ID of the client secret to revoke."
  },
+  CLEAR_CLIENT_LOCKOUTS: {
+    identityId: "The ID of the identity to clear the client lockouts from."
+  },
  RENEW_ACCESS_TOKEN: {
    accessToken: "The access token to renew."
  },
@@ -2148,7 +2161,9 @@ export const CertificateAuthorities = {
      directoryUrl: `The directory URL for the ACME Certificate Authority.`,
      accountEmail: `The email address for the ACME Certificate Authority.`,
      provider: `The DNS provider for the ACME Certificate Authority.`,
-      hostedZoneId: `The hosted zone ID for the ACME Certificate Authority.`
+      hostedZoneId: `The hosted zone ID for the ACME Certificate Authority.`,
+      eabKid: `The External Account Binding (EAB) Key ID for the ACME Certificate Authority. Required if the ACME provider uses EAB.`,
+      eabHmacKey: `The External Account Binding (EAB) HMAC key for the ACME Certificate Authority. Required if the ACME provider uses EAB.`
    },
    INTERNAL: {
      type: "The type of CA to create.",
@@ -2312,6 +2327,15 @@ export const AppConnections = {
    OKTA: {
      instanceUrl: "The URL used to access your Okta organization.",
      apiToken: "The API token used to authenticate with Okta."
+    },
+    AZURE_ADCS: {
+      adcsUrl:
+        "The HTTPS URL of the Azure ADCS instance to connect with (e.g., 'https://adcs.yourdomain.com/certsrv').",
+      username: "The username used to access Azure ADCS (format: 'DOMAIN\\username' or 'username@domain.com').",
+      password: "The password used to access Azure ADCS.",
+      sslRejectUnauthorized:
+        "Whether or not to reject unauthorized SSL certificates (true/false). Set to false only in test environments with self-signed certificates.",
+      sslCertificate: "The SSL certificate (PEM format) to use for secure connection."
    }
  }
 };
--- a/backend/src/lib/config/env.ts
+++ b/backend/src/lib/config/env.ts
@@ -218,6 +218,8 @@ const envSchema = z
    ),
    PARAMS_FOLDER_SECRET_DETECTION_ENTROPY: z.coerce.number().optional().default(3.7),

+    INFISICAL_PRIMARY_INSTANCE_URL: zpStr(z.string().optional()),
+
    // HSM
    HSM_LIB_PATH: zpStr(z.string().optional()),
    HSM_PIN: zpStr(z.string().optional()),
--- a/backend/src/lib/ip/index.test.ts
+++ b/backend/src/lib/ip/index.test.ts
@@ -0,0 +1,121 @@
+import { extractIPDetails, IPType, isValidCidr, isValidIp, isValidIpOrCidr } from "./index";
+
+describe("IP Validation", () => {
+  describe("isValidIp", () => {
+    test("should validate IPv4 addresses with ports", () => {
+      expect(isValidIp("192.168.1.1:8080")).toBe(true);
+      expect(isValidIp("10.0.0.1:1234")).toBe(true);
+      expect(isValidIp("172.16.0.1:80")).toBe(true);
+    });
+
+    test("should validate IPv6 addresses with ports", () => {
+      expect(isValidIp("[2001:db8::1]:8080")).toBe(true);
+      expect(isValidIp("[fe80::1ff:fe23:4567:890a]:1234")).toBe(true);
+      expect(isValidIp("[::1]:80")).toBe(true);
+    });
+
+    test("should validate regular IPv4 addresses", () => {
+      expect(isValidIp("192.168.1.1")).toBe(true);
+      expect(isValidIp("10.0.0.1")).toBe(true);
+      expect(isValidIp("172.16.0.1")).toBe(true);
+    });
+
+    test("should validate regular IPv6 addresses", () => {
+      expect(isValidIp("2001:db8::1")).toBe(true);
+      expect(isValidIp("fe80::1ff:fe23:4567:890a")).toBe(true);
+      expect(isValidIp("::1")).toBe(true);
+    });
+
+    test("should reject invalid IP addresses", () => {
+      expect(isValidIp("256.256.256.256")).toBe(false);
+      expect(isValidIp("192.168.1")).toBe(false);
+      expect(isValidIp("192.168.1.1.1")).toBe(false);
+      expect(isValidIp("2001:db8::1::1")).toBe(false);
+      expect(isValidIp("invalid")).toBe(false);
+    });
+
+    test("should reject malformed IP addresses with ports", () => {
+      expect(isValidIp("192.168.1.1:")).toBe(false);
+      expect(isValidIp("192.168.1.1:abc")).toBe(false);
+      expect(isValidIp("[2001:db8::1]")).toBe(false);
+      expect(isValidIp("[2001:db8::1]:")).toBe(false);
+      expect(isValidIp("[2001:db8::1]:abc")).toBe(false);
+    });
+  });
+
+  describe("isValidCidr", () => {
+    test("should validate IPv4 CIDR blocks", () => {
+      expect(isValidCidr("192.168.1.0/24")).toBe(true);
+      expect(isValidCidr("10.0.0.0/8")).toBe(true);
+      expect(isValidCidr("172.16.0.0/16")).toBe(true);
+    });
+
+    test("should validate IPv6 CIDR blocks", () => {
+      expect(isValidCidr("2001:db8::/32")).toBe(true);
+      expect(isValidCidr("fe80::/10")).toBe(true);
+      expect(isValidCidr("::/0")).toBe(true);
+    });
+
+    test("should reject invalid CIDR blocks", () => {
+      expect(isValidCidr("192.168.1.0/33")).toBe(false);
+      expect(isValidCidr("2001:db8::/129")).toBe(false);
+      expect(isValidCidr("192.168.1.0/abc")).toBe(false);
+      expect(isValidCidr("invalid/24")).toBe(false);
+    });
+  });
+
+  describe("isValidIpOrCidr", () => {
+    test("should validate both IP addresses and CIDR blocks", () => {
+      expect(isValidIpOrCidr("192.168.1.1")).toBe(true);
+      expect(isValidIpOrCidr("2001:db8::1")).toBe(true);
+      expect(isValidIpOrCidr("192.168.1.0/24")).toBe(true);
+      expect(isValidIpOrCidr("2001:db8::/32")).toBe(true);
+    });
+
+    test("should reject invalid inputs", () => {
+      expect(isValidIpOrCidr("invalid")).toBe(false);
+      expect(isValidIpOrCidr("192.168.1.0/33")).toBe(false);
+      expect(isValidIpOrCidr("2001:db8::/129")).toBe(false);
+    });
+  });
+
+  describe("extractIPDetails", () => {
+    test("should extract IPv4 address details", () => {
+      const result = extractIPDetails("192.168.1.1");
+      expect(result).toEqual({
+        ipAddress: "192.168.1.1",
+        type: IPType.IPV4
+      });
+    });
+
+    test("should extract IPv6 address details", () => {
+      const result = extractIPDetails("2001:db8::1");
+      expect(result).toEqual({
+        ipAddress: "2001:db8::1",
+        type: IPType.IPV6
+      });
+    });
+
+    test("should extract IPv4 CIDR details", () => {
+      const result = extractIPDetails("192.168.1.0/24");
+      expect(result).toEqual({
+        ipAddress: "192.168.1.0",
+        type: IPType.IPV4,
+        prefix: 24
+      });
+    });
+
+    test("should extract IPv6 CIDR details", () => {
+      const result = extractIPDetails("2001:db8::/32");
+      expect(result).toEqual({
+        ipAddress: "2001:db8::",
+        type: IPType.IPV6,
+        prefix: 32
+      });
+    });
+
+    test("should throw error for invalid IP", () => {
+      expect(() => extractIPDetails("invalid")).toThrow("Failed to extract IP details");
+    });
+  });
+});
--- a/backend/src/lib/ip/index.ts
+++ b/backend/src/lib/ip/index.ts
@@ -1,5 +1,7 @@
 import net from "node:net";

+import RE2 from "re2";
+
 import { ForbiddenRequestError } from "../errors";

 export enum IPType {
@@ -7,25 +9,55 @@ export enum IPType {
  IPV6 = "ipv6"
 }

+const PORT_REGEX = new RE2(/^\d+$/);
+
+/**
+ * Strips port from IP address if present.
+ * Handles both IPv4 (e.g. 1.2.3.4:1234) and IPv6 (e.g. [2001:db8::1]:8080) formats.
+ * Returns the IP address without port and a boolean indicating if a port was present.
+ */
+const stripPort = (ip: string): { ipAddress: string } => {
+  // Handle IPv6 with port (e.g. [2001:db8::1]:8080)
+  if (ip.startsWith("[") && ip.includes("]:")) {
+    const endBracketIndex = ip.indexOf("]");
+    if (endBracketIndex === -1) return { ipAddress: ip };
+    const ipPart = ip.slice(1, endBracketIndex);
+    const portPart = ip.slice(endBracketIndex + 2);
+    if (!portPart || !PORT_REGEX.test(portPart)) return { ipAddress: ip };
+    return { ipAddress: ipPart };
+  }
+
+  // Handle IPv4 with port (e.g. 1.2.3.4:1234)
+  if (ip.includes(":")) {
+    const [ipPart, portPart] = ip.split(":");
+    if (!portPart || !PORT_REGEX.test(portPart)) return { ipAddress: ip };
+    return { ipAddress: ipPart };
+  }
+
+  return { ipAddress: ip };
+};
+
 /**
 * Return details of IP [ip]:
 * - If [ip] is a specific IP address then return the IPv4/IPv6 address
 * - If [ip] is a subnet then return the network IPv4/IPv6 address and prefix
 */
 export const extractIPDetails = (ip: string) => {
-  if (net.isIPv4(ip))
+  const { ipAddress } = stripPort(ip);
+
+  if (net.isIPv4(ipAddress))
    return {
-      ipAddress: ip,
+      ipAddress,
      type: IPType.IPV4
    };

-  if (net.isIPv6(ip))
+  if (net.isIPv6(ipAddress))
    return {
-      ipAddress: ip,
+      ipAddress,
      type: IPType.IPV6
    };

-  const [ipNet, prefix] = ip.split("/");
+  const [ipNet, prefix] = ipAddress.split("/");

  let type;
  switch (net.isIP(ipNet)) {
@@ -57,7 +89,8 @@ export const extractIPDetails = (ip: string) => {
 *
 */
 export const isValidCidr = (cidr: string): boolean => {
-  const [ip, prefix] = cidr.split("/");
+  const { ipAddress } = stripPort(cidr);
+  const [ip, prefix] = ipAddress.split("/");

  const prefixNum = parseInt(prefix, 10);

@@ -90,13 +123,15 @@ export const isValidCidr = (cidr: string): boolean => {
 *
 */
 export const isValidIpOrCidr = (ip: string): boolean => {
+  const { ipAddress } = stripPort(ip);
+
  // if the string contains a slash, treat it as a CIDR block
-  if (ip.includes("/")) {
-    return isValidCidr(ip);
+  if (ipAddress.includes("/")) {
+    return isValidCidr(ipAddress);
  }

  // otherwise, treat it as a standalone IP address
-  if (net.isIPv4(ip) || net.isIPv6(ip)) {
+  if (net.isIPv4(ipAddress) || net.isIPv6(ipAddress)) {
    return true;
  }

@@ -104,7 +139,8 @@ export const isValidIpOrCidr = (ip: string): boolean => {
 };

 export const isValidIp = (ip: string) => {
-  return net.isIPv4(ip) || net.isIPv6(ip);
+  const { ipAddress } = stripPort(ip);
+  return net.isIPv4(ipAddress) || net.isIPv6(ipAddress);
 };

 export type TIp = {
@@ -112,6 +148,7 @@ export type TIp = {
  type: IPType;
  prefix: number;
 };
+
 /**
 * Validates the IP address [ipAddress] against the trusted IPs [trustedIps].
 */
@@ -126,8 +163,9 @@ export const checkIPAgainstBlocklist = ({ ipAddress, trustedIps }: { ipAddress:
    }
  }

-  const { type } = extractIPDetails(ipAddress);
-  const check = blockList.check(ipAddress, type);
+  const { type, ipAddress: cleanIpAddress } = extractIPDetails(ipAddress);
+
+  const check = blockList.check(cleanIpAddress, type);

  if (!check)
    throw new ForbiddenRequestError({
--- a/backend/src/lib/retry/index.ts
+++ b/backend/src/lib/retry/index.ts
@@ -0,0 +1,43 @@
+/* eslint-disable no-await-in-loop */
+interface GitHubApiError extends Error {
+  status?: number;
+  response?: {
+    status?: number;
+    headers?: {
+      "x-ratelimit-reset"?: string;
+    };
+  };
+}
+
+const delay = (ms: number) =>
+  new Promise<void>((resolve) => {
+    setTimeout(() => resolve(), ms);
+  });
+
+export const retryWithBackoff = async <T>(fn: () => Promise<T>, maxRetries = 3, baseDelay = 1000): Promise<T> => {
+  let lastError: Error;
+
+  for (let attempt = 0; attempt <= maxRetries; attempt += 1) {
+    try {
+      return await fn();
+    } catch (error) {
+      lastError = error as Error;
+      const gitHubError = error as GitHubApiError;
+      const statusCode = gitHubError.status || gitHubError.response?.status;
+      if (statusCode === 403) {
+        const rateLimitReset = gitHubError.response?.headers?.["x-ratelimit-reset"];
+        if (rateLimitReset) {
+          const resetTime = parseInt(rateLimitReset, 10) * 1000;
+          const waitTime = Math.max(resetTime - Date.now(), baseDelay);
+          await delay(Math.min(waitTime, 60000));
+        } else {
+          await delay(baseDelay * 2 ** attempt);
+        }
+      } else if (attempt < maxRetries) {
+        await delay(baseDelay * 2 ** attempt);
+      }
+    }
+  }
+
+  throw lastError!;
+};
--- a/backend/src/server/plugins/auth/inject-identity.ts
+++ b/backend/src/server/plugins/auth/inject-identity.ts
@@ -107,110 +107,117 @@ export const extractAuth = async (req: FastifyRequest, jwtSecret: string) => {
 };

 // ! Important: You can only 100% count on the `req.permission.orgId` field being present when the auth method is Identity Access Token (Machine Identity).
-export const injectIdentity = fp(async (server: FastifyZodProvider) => {
-  server.decorateRequest("auth", null);
-  server.addHook("onRequest", async (req) => {
-    const appCfg = getConfig();
+export const injectIdentity = fp(
+  async (server: FastifyZodProvider, opt: { shouldForwardWritesToPrimaryInstance?: boolean }) => {
+    server.decorateRequest("auth", null);
+    server.decorateRequest("shouldForwardWritesToPrimaryInstance", Boolean(opt.shouldForwardWritesToPrimaryInstance));
+    server.addHook("onRequest", async (req) => {
+      const appCfg = getConfig();

-    if (req.url.includes(".well-known/est") || req.url.includes("/api/v3/auth/")) {
-      return;
-    }
-
-    // Authentication is handled on a route-level here.
-    if (req.url.includes("/api/v1/workflow-integrations/microsoft-teams/message-endpoint")) {
-      return;
-    }
-
-    const { authMode, token, actor } = await extractAuth(req, appCfg.AUTH_SECRET);
-
-    if (!authMode) return;
-
-    switch (authMode) {
-      case AuthMode.JWT: {
-        const { user, tokenVersionId, orgId } = await server.services.authToken.fnValidateJwtIdentity(token);
-        requestContext.set("orgId", orgId);
-        req.auth = {
-          authMode: AuthMode.JWT,
-          user,
-          userId: user.id,
-          tokenVersionId,
-          actor,
-          orgId: orgId as string,
-          authMethod: token.authMethod,
-          isMfaVerified: token.isMfaVerified,
-          token
-        };
-        break;
+      if (opt.shouldForwardWritesToPrimaryInstance && req.method !== "GET") {
+        return;
      }
-      case AuthMode.IDENTITY_ACCESS_TOKEN: {
-        const identity = await server.services.identityAccessToken.fnValidateIdentityAccessToken(token, req.realIp);
-        const serverCfg = await getServerCfg();
-        requestContext.set("orgId", identity.orgId);
-        req.auth = {
-          authMode: AuthMode.IDENTITY_ACCESS_TOKEN,
-          actor,
-          orgId: identity.orgId,
-          identityId: identity.identityId,
-          identityName: identity.name,
-          authMethod: null,
-          isInstanceAdmin: serverCfg?.adminIdentityIds?.includes(identity.identityId),
-          token
-        };
-        if (token?.identityAuth?.oidc) {
-          requestContext.set("identityAuthInfo", {
-            identityId: identity.identityId,
-            oidc: token?.identityAuth?.oidc
-          });
+
+      if (req.url.includes(".well-known/est") || req.url.includes("/api/v3/auth/")) {
+        return;
+      }
+
+      // Authentication is handled on a route-level here.
+      if (req.url.includes("/api/v1/workflow-integrations/microsoft-teams/message-endpoint")) {
+        return;
+      }
+
+      const { authMode, token, actor } = await extractAuth(req, appCfg.AUTH_SECRET);
+
+      if (!authMode) return;
+
+      switch (authMode) {
+        case AuthMode.JWT: {
+          const { user, tokenVersionId, orgId } = await server.services.authToken.fnValidateJwtIdentity(token);
+          requestContext.set("orgId", orgId);
+          req.auth = {
+            authMode: AuthMode.JWT,
+            user,
+            userId: user.id,
+            tokenVersionId,
+            actor,
+            orgId: orgId as string,
+            authMethod: token.authMethod,
+            isMfaVerified: token.isMfaVerified,
+            token
+          };
+          break;
        }
-        if (token?.identityAuth?.kubernetes) {
-          requestContext.set("identityAuthInfo", {
+        case AuthMode.IDENTITY_ACCESS_TOKEN: {
+          const identity = await server.services.identityAccessToken.fnValidateIdentityAccessToken(token, req.realIp);
+          const serverCfg = await getServerCfg();
+          requestContext.set("orgId", identity.orgId);
+          req.auth = {
+            authMode: AuthMode.IDENTITY_ACCESS_TOKEN,
+            actor,
+            orgId: identity.orgId,
            identityId: identity.identityId,
-            kubernetes: token?.identityAuth?.kubernetes
-          });
+            identityName: identity.name,
+            authMethod: null,
+            isInstanceAdmin: serverCfg?.adminIdentityIds?.includes(identity.identityId),
+            token
+          };
+          if (token?.identityAuth?.oidc) {
+            requestContext.set("identityAuthInfo", {
+              identityId: identity.identityId,
+              oidc: token?.identityAuth?.oidc
+            });
+          }
+          if (token?.identityAuth?.kubernetes) {
+            requestContext.set("identityAuthInfo", {
+              identityId: identity.identityId,
+              kubernetes: token?.identityAuth?.kubernetes
+            });
+          }
+          if (token?.identityAuth?.aws) {
+            requestContext.set("identityAuthInfo", {
+              identityId: identity.identityId,
+              aws: token?.identityAuth?.aws
+            });
+          }
+          break;
        }
-        if (token?.identityAuth?.aws) {
-          requestContext.set("identityAuthInfo", {
-            identityId: identity.identityId,
-            aws: token?.identityAuth?.aws
-          });
+        case AuthMode.SERVICE_TOKEN: {
+          const serviceToken = await server.services.serviceToken.fnValidateServiceToken(token);
+          requestContext.set("orgId", serviceToken.orgId);
+          req.auth = {
+            orgId: serviceToken.orgId,
+            authMode: AuthMode.SERVICE_TOKEN as const,
+            serviceToken,
+            serviceTokenId: serviceToken.id,
+            actor,
+            authMethod: null,
+            token
+          };
+          break;
        }
-        break;
+        case AuthMode.API_KEY: {
+          const user = await server.services.apiKey.fnValidateApiKey(token as string);
+          req.auth = {
+            authMode: AuthMode.API_KEY as const,
+            userId: user.id,
+            actor,
+            user,
+            orgId: "API_KEY", // We set the orgId to an arbitrary value, since we can't link an API key to a specific org. We have to deprecate API keys soon!
+            authMethod: null,
+            token: token as string
+          };
+          break;
+        }
+        case AuthMode.SCIM_TOKEN: {
+          const { orgId, scimTokenId } = await server.services.scim.fnValidateScimToken(token);
+          requestContext.set("orgId", orgId);
+          req.auth = { authMode: AuthMode.SCIM_TOKEN, actor, scimTokenId, orgId, authMethod: null };
+          break;
+        }
+        default:
+          throw new BadRequestError({ message: "Invalid token strategy provided" });
      }
-      case AuthMode.SERVICE_TOKEN: {
-        const serviceToken = await server.services.serviceToken.fnValidateServiceToken(token);
-        requestContext.set("orgId", serviceToken.orgId);
-        req.auth = {
-          orgId: serviceToken.orgId,
-          authMode: AuthMode.SERVICE_TOKEN as const,
-          serviceToken,
-          serviceTokenId: serviceToken.id,
-          actor,
-          authMethod: null,
-          token
-        };
-        break;
-      }
-      case AuthMode.API_KEY: {
-        const user = await server.services.apiKey.fnValidateApiKey(token as string);
-        req.auth = {
-          authMode: AuthMode.API_KEY as const,
-          userId: user.id,
-          actor,
-          user,
-          orgId: "API_KEY", // We set the orgId to an arbitrary value, since we can't link an API key to a specific org. We have to deprecate API keys soon!
-          authMethod: null,
-          token: token as string
-        };
-        break;
-      }
-      case AuthMode.SCIM_TOKEN: {
-        const { orgId, scimTokenId } = await server.services.scim.fnValidateScimToken(token);
-        requestContext.set("orgId", orgId);
-        req.auth = { authMode: AuthMode.SCIM_TOKEN, actor, scimTokenId, orgId, authMethod: null };
-        break;
-      }
-      default:
-        throw new BadRequestError({ message: "Invalid token strategy provided" });
-    }
-  });
-});
+    });
+  }
+);
--- a/backend/src/server/plugins/auth/verify-auth.ts
+++ b/backend/src/server/plugins/auth/verify-auth.ts
@@ -10,6 +10,10 @@ interface TAuthOptions {
 export const verifyAuth =
  <T extends FastifyRequest>(authStrategies: AuthMode[], options: TAuthOptions = { requireOrg: true }) =>
  (req: T, _res: FastifyReply, done: HookHandlerDoneFunction) => {
+    if (req.shouldForwardWritesToPrimaryInstance && req.method !== "GET") {
+      return done();
+    }
+
    if (!Array.isArray(authStrategies)) throw new Error("Auth strategy must be array");
    if (!req.auth) throw new UnauthorizedError({ message: "Token missing" });

--- a/backend/src/server/plugins/primary-forwarding-mode.ts
+++ b/backend/src/server/plugins/primary-forwarding-mode.ts
@@ -0,0 +1,14 @@
+import replyFrom from "@fastify/reply-from";
+import fp from "fastify-plugin";
+
+export const forwardWritesToPrimary = fp(async (server, opt: { primaryUrl: string }) => {
+  await server.register(replyFrom, {
+    base: opt.primaryUrl
+  });
+
+  server.addHook("preValidation", async (request, reply) => {
+    if (request.url.startsWith("/api") && ["POST", "PUT", "DELETE", "PATCH"].includes(request.method)) {
+      return reply.from(request.url);
+    }
+  });
+});
--- a/backend/src/server/routes/index.ts
+++ b/backend/src/server/routes/index.ts
@@ -291,6 +291,8 @@ import { TSmtpService } from "@app/services/smtp/smtp-service";
 import { invalidateCacheQueueFactory } from "@app/services/super-admin/invalidate-cache-queue";
 import { TSuperAdminDALFactory } from "@app/services/super-admin/super-admin-dal";
 import { getServerCfg, superAdminServiceFactory } from "@app/services/super-admin/super-admin-service";
+import { offlineUsageReportDALFactory } from "@app/services/offline-usage-report/offline-usage-report-dal";
+import { offlineUsageReportServiceFactory } from "@app/services/offline-usage-report/offline-usage-report-service";
 import { telemetryDALFactory } from "@app/services/telemetry/telemetry-dal";
 import { telemetryQueueServiceFactory } from "@app/services/telemetry/telemetry-queue";
 import { telemetryServiceFactory } from "@app/services/telemetry/telemetry-service";
@@ -310,6 +312,7 @@ import { injectAssumePrivilege } from "../plugins/auth/inject-assume-privilege";
 import { injectIdentity } from "../plugins/auth/inject-identity";
 import { injectPermission } from "../plugins/auth/inject-permission";
 import { injectRateLimits } from "../plugins/inject-rate-limits";
+import { forwardWritesToPrimary } from "../plugins/primary-forwarding-mode";
 import { registerV1Routes } from "./v1";
 import { initializeOauthConfigSync } from "./v1/sso-router";
 import { registerV2Routes } from "./v2";
@@ -385,6 +388,7 @@ export const registerRoutes = async (
  const reminderRecipientDAL = reminderRecipientDALFactory(db);

  const integrationDAL = integrationDALFactory(db);
+  const offlineUsageReportDAL = offlineUsageReportDALFactory(db);
  const integrationAuthDAL = integrationAuthDALFactory(db);
  const webhookDAL = webhookDALFactory(db);
  const serviceTokenDAL = serviceTokenDALFactory(db);
@@ -680,7 +684,8 @@ export const registerRoutes = async (
    kmsService,
    permissionService,
    groupDAL,
-    userGroupMembershipDAL
+    userGroupMembershipDAL,
+    orgMembershipDAL
  });

  const ldapService = ldapConfigServiceFactory({
@@ -841,7 +846,14 @@ export const registerRoutes = async (
    licenseService,
    kmsService,
    microsoftTeamsService,
-    invalidateCacheQueue
+    invalidateCacheQueue,
+    smtpService,
+    tokenService
+  });
+
+  const offlineUsageReportService = offlineUsageReportServiceFactory({
+    offlineUsageReportDAL,
+    licenseService
  });

  const orgAdminService = orgAdminServiceFactory({
@@ -1456,7 +1468,8 @@ export const registerRoutes = async (
    identityOrgMembershipDAL,
    identityProjectDAL,
    licenseService,
-    identityMetadataDAL
+    identityMetadataDAL,
+    keyStore
  });

  const identityAuthTemplateService = identityAuthTemplateServiceFactory({
@@ -1510,7 +1523,8 @@ export const registerRoutes = async (
    identityAccessTokenDAL,
    identityUaClientSecretDAL,
    identityUaDAL,
-    licenseService
+    licenseService,
+    keyStore
  });

  const identityKubernetesAuthService = identityKubernetesAuthServiceFactory({
@@ -1744,7 +1758,8 @@ export const registerRoutes = async (
  const migrationService = externalMigrationServiceFactory({
    externalMigrationQueue,
    userDAL,
-    permissionService
+    permissionService,
+    gatewayService
  });

  const externalGroupOrgRoleMappingService = externalGroupOrgRoleMappingServiceFactory({
@@ -1999,6 +2014,7 @@ export const registerRoutes = async (
    apiKey: apiKeyService,
    authToken: tokenService,
    superAdmin: superAdminService,
+    offlineUsageReport: offlineUsageReportService,
    project: projectService,
    projectMembership: projectMembershipService,
    projectKey: projectKeyService,
@@ -2131,8 +2147,14 @@ export const registerRoutes = async (
    user: userDAL,
    kmipClient: kmipClientDAL
  });
+  const shouldForwardWritesToPrimaryInstance = Boolean(envConfig.INFISICAL_PRIMARY_INSTANCE_URL);
+  if (shouldForwardWritesToPrimaryInstance) {
+    logger.info(`Infisical primary instance is configured: ${envConfig.INFISICAL_PRIMARY_INSTANCE_URL}`);

-  await server.register(injectIdentity, { userDAL, serviceTokenDAL });
+    await server.register(forwardWritesToPrimary, { primaryUrl: envConfig.INFISICAL_PRIMARY_INSTANCE_URL as string });
+  }
+
+  await server.register(injectIdentity, { shouldForwardWritesToPrimaryInstance });
  await server.register(injectAssumePrivilege);
  await server.register(injectPermission);
  await server.register(injectRateLimits);
--- a/backend/src/server/routes/v1/admin-router.ts
+++ b/backend/src/server/routes/v1/admin-router.ts
@@ -13,6 +13,7 @@ import { crypto } from "@app/lib/crypto/cryptography";
 import { BadRequestError } from "@app/lib/errors";
 import { invalidateCacheLimit, readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { addAuthOriginDomainCookie } from "@app/server/lib/cookie";
+import { GenericResourceNameSchema } from "@app/server/lib/schemas";
 import { getTelemetryDistinctId } from "@app/server/lib/telemetry";
 import { verifySuperAdmin } from "@app/server/plugins/auth/superAdmin";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
@@ -53,7 +54,8 @@ export const registerAdminRouter = async (server: FastifyZodProvider) => {
            defaultAuthOrgAuthMethod: z.string().nullish(),
            isSecretScanningDisabled: z.boolean(),
            kubernetesAutoFetchServiceAccountToken: z.boolean(),
-            paramsFolderSecretDetectionEnabled: z.boolean()
+            paramsFolderSecretDetectionEnabled: z.boolean(),
+            isOfflineUsageReportsEnabled: z.boolean()
          })
        })
      }
@@ -69,7 +71,8 @@ export const registerAdminRouter = async (server: FastifyZodProvider) => {
          isMigrationModeOn: serverEnvs.MAINTENANCE_MODE,
          isSecretScanningDisabled: serverEnvs.DISABLE_SECRET_SCANNING,
          kubernetesAutoFetchServiceAccountToken: serverEnvs.KUBERNETES_AUTO_FETCH_SERVICE_ACCOUNT_TOKEN,
-          paramsFolderSecretDetectionEnabled: serverEnvs.PARAMS_FOLDER_SECRET_DETECTION_ENABLED
+          paramsFolderSecretDetectionEnabled: serverEnvs.PARAMS_FOLDER_SECRET_DETECTION_ENABLED,
+          isOfflineUsageReportsEnabled: !!serverEnvs.LICENSE_KEY_OFFLINE
        }
      };
    }
@@ -215,7 +218,8 @@ export const registerAdminRouter = async (server: FastifyZodProvider) => {
                }),
                membershipId: z.string(),
                role: z.string(),
-                roleId: z.string().nullish()
+                roleId: z.string().nullish(),
+                status: z.string().nullish()
              })
              .array(),
            projects: z
@@ -838,4 +842,121 @@ export const registerAdminRouter = async (server: FastifyZodProvider) => {
      };
    }
  });
+
+  server.route({
+    method: "POST",
+    url: "/organization-management/organizations",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      body: z.object({
+        name: GenericResourceNameSchema,
+        inviteAdminEmails: z.string().email().array().min(1)
+      }),
+      response: {
+        200: z.object({
+          organization: OrganizationsSchema
+        })
+      }
+    },
+    onRequest: (req, res, done) => {
+      verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN])(req, res, () => {
+        verifySuperAdmin(req, res, done);
+      });
+    },
+    handler: async (req) => {
+      const organization = await server.services.superAdmin.createOrganization(req.body, req.permission);
+      return { organization };
+    }
+  });
+
+  server.route({
+    method: "POST",
+    url: "/organization-management/organizations/:organizationId/memberships/:membershipId/resend-invite",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      params: z.object({
+        organizationId: z.string(),
+        membershipId: z.string()
+      }),
+      response: {
+        200: z.object({
+          organizationMembership: OrgMembershipsSchema
+        })
+      }
+    },
+    onRequest: (req, res, done) => {
+      verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN])(req, res, () => {
+        verifySuperAdmin(req, res, done);
+      });
+    },
+    handler: async (req) => {
+      const organizationMembership = await server.services.superAdmin.resendOrgInvite(req.params, req.permission);
+      return { organizationMembership };
+    }
+  });
+
+  server.route({
+    method: "POST",
+    url: "/organization-management/organizations/:organizationId/access",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      params: z.object({
+        organizationId: z.string()
+      }),
+      response: {
+        200: z.object({
+          organizationMembership: OrgMembershipsSchema
+        })
+      }
+    },
+    onRequest: (req, res, done) => {
+      verifyAuth([AuthMode.JWT])(req, res, () => {
+        verifySuperAdmin(req, res, done);
+      });
+    },
+    handler: async (req) => {
+      const organizationMembership = await server.services.superAdmin.joinOrganization(
+        req.params.organizationId,
+        req.permission
+      );
+      return { organizationMembership };
+    }
+  });
+
+  server.route({
+    method: "POST",
+    url: "/usage-report/generate",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      response: {
+        200: z.object({
+          csvContent: z.string(),
+          signature: z.string(),
+          filename: z.string()
+        })
+      }
+    },
+    onRequest: (req, res, done) => {
+      verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN])(req, res, () => {
+        verifySuperAdmin(req, res, done);
+      });
+    },
+    handler: async () => {
+      const result = await server.services.offlineUsageReport.generateUsageReportCSV();
+
+      return {
+        csvContent: result.csvContent,
+        signature: result.signature,
+        filename: result.filename
+      };
+    }
+  });
 };
--- a/backend/src/server/routes/v1/app-connection-routers/app-connection-router.ts
+++ b/backend/src/server/routes/v1/app-connection-routers/app-connection-router.ts
@@ -15,6 +15,10 @@ import {
 } from "@app/services/app-connection/1password";
 import { Auth0ConnectionListItemSchema, SanitizedAuth0ConnectionSchema } from "@app/services/app-connection/auth0";
 import { AwsConnectionListItemSchema, SanitizedAwsConnectionSchema } from "@app/services/app-connection/aws";
+import {
+  AzureADCSConnectionListItemSchema,
+  SanitizedAzureADCSConnectionSchema
+} from "@app/services/app-connection/azure-adcs/azure-adcs-connection-schemas";
 import {
  AzureAppConfigurationConnectionListItemSchema,
  SanitizedAzureAppConfigurationConnectionSchema
@@ -150,7 +154,8 @@ const SanitizedAppConnectionSchema = z.union([
  ...SanitizedSupabaseConnectionSchema.options,
  ...SanitizedDigitalOceanConnectionSchema.options,
  ...SanitizedNetlifyConnectionSchema.options,
-  ...SanitizedOktaConnectionSchema.options
+  ...SanitizedOktaConnectionSchema.options,
+  ...SanitizedAzureADCSConnectionSchema.options
 ]);

 const AppConnectionOptionsSchema = z.discriminatedUnion("app", [
@@ -190,7 +195,8 @@ const AppConnectionOptionsSchema = z.discriminatedUnion("app", [
  SupabaseConnectionListItemSchema,
  DigitalOceanConnectionListItemSchema,
  NetlifyConnectionListItemSchema,
-  OktaConnectionListItemSchema
+  OktaConnectionListItemSchema,
+  AzureADCSConnectionListItemSchema
 ]);

 export const registerAppConnectionRouter = async (server: FastifyZodProvider) => {
--- a/backend/src/server/routes/v1/app-connection-routers/azure-adcs-connection-router.ts
+++ b/backend/src/server/routes/v1/app-connection-routers/azure-adcs-connection-router.ts
@@ -0,0 +1,18 @@
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+import {
+  CreateAzureADCSConnectionSchema,
+  SanitizedAzureADCSConnectionSchema,
+  UpdateAzureADCSConnectionSchema
+} from "@app/services/app-connection/azure-adcs";
+
+import { registerAppConnectionEndpoints } from "./app-connection-endpoints";
+
+export const registerAzureADCSConnectionRouter = async (server: FastifyZodProvider) => {
+  registerAppConnectionEndpoints({
+    app: AppConnection.AzureADCS,
+    server,
+    sanitizedResponseSchema: SanitizedAzureADCSConnectionSchema,
+    createSchema: CreateAzureADCSConnectionSchema,
+    updateSchema: UpdateAzureADCSConnectionSchema
+  });
+};
--- a/backend/src/server/routes/v1/app-connection-routers/index.ts
+++ b/backend/src/server/routes/v1/app-connection-routers/index.ts
@@ -5,6 +5,7 @@ import { AppConnection } from "@app/services/app-connection/app-connection-enums
 import { registerOnePassConnectionRouter } from "./1password-connection-router";
 import { registerAuth0ConnectionRouter } from "./auth0-connection-router";
 import { registerAwsConnectionRouter } from "./aws-connection-router";
+import { registerAzureADCSConnectionRouter } from "./azure-adcs-connection-router";
 import { registerAzureAppConfigurationConnectionRouter } from "./azure-app-configuration-connection-router";
 import { registerAzureClientSecretsConnectionRouter } from "./azure-client-secrets-connection-router";
 import { registerAzureDevOpsConnectionRouter } from "./azure-devops-connection-router";
@@ -50,6 +51,7 @@ export const APP_CONNECTION_REGISTER_ROUTER_MAP: Record<AppConnection, (server:
    [AppConnection.AzureAppConfiguration]: registerAzureAppConfigurationConnectionRouter,
    [AppConnection.AzureClientSecrets]: registerAzureClientSecretsConnectionRouter,
    [AppConnection.AzureDevOps]: registerAzureDevOpsConnectionRouter,
+    [AppConnection.AzureADCS]: registerAzureADCSConnectionRouter,
    [AppConnection.Databricks]: registerDatabricksConnectionRouter,
    [AppConnection.Humanitec]: registerHumanitecConnectionRouter,
    [AppConnection.TerraformCloud]: registerTerraformCloudConnectionRouter,
--- a/backend/src/server/routes/v1/certificate-authority-routers/azure-ad-cs-certificate-authority-router.ts
+++ b/backend/src/server/routes/v1/certificate-authority-routers/azure-ad-cs-certificate-authority-router.ts
@@ -0,0 +1,78 @@
+import { z } from "zod";
+
+import { EventType } from "@app/ee/services/audit-log/audit-log-types";
+import { readLimit } from "@app/server/config/rateLimiter";
+import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
+import { AuthMode } from "@app/services/auth/auth-type";
+import {
+  AzureAdCsCertificateAuthoritySchema,
+  CreateAzureAdCsCertificateAuthoritySchema,
+  UpdateAzureAdCsCertificateAuthoritySchema
+} from "@app/services/certificate-authority/azure-ad-cs/azure-ad-cs-certificate-authority-schemas";
+import { CaType } from "@app/services/certificate-authority/certificate-authority-enums";
+
+import { registerCertificateAuthorityEndpoints } from "./certificate-authority-endpoints";
+
+export const registerAzureAdCsCertificateAuthorityRouter = async (server: FastifyZodProvider) => {
+  registerCertificateAuthorityEndpoints({
+    caType: CaType.AZURE_AD_CS,
+    server,
+    responseSchema: AzureAdCsCertificateAuthoritySchema,
+    createSchema: CreateAzureAdCsCertificateAuthoritySchema,
+    updateSchema: UpdateAzureAdCsCertificateAuthoritySchema
+  });
+
+  server.route({
+    method: "GET",
+    url: "/:caId/templates",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      hide: false,
+      description: "Get available certificate templates from Azure AD CS CA",
+      params: z.object({
+        caId: z.string().describe("Azure AD CS CA ID")
+      }),
+      querystring: z.object({
+        projectId: z.string().describe("Project ID")
+      }),
+      response: {
+        200: z.object({
+          templates: z.array(
+            z.object({
+              id: z.string().describe("Template identifier"),
+              name: z.string().describe("Template display name"),
+              description: z.string().optional().describe("Template description")
+            })
+          )
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const templates = await server.services.certificateAuthority.getAzureAdcsTemplates({
+        caId: req.params.caId,
+        projectId: req.query.projectId,
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        projectId: req.query.projectId,
+        event: {
+          type: EventType.GET_AZURE_AD_TEMPLATES,
+          metadata: {
+            caId: req.params.caId,
+            amount: templates.length
+          }
+        }
+      });
+
+      return { templates };
+    }
+  });
+};
--- a/backend/src/server/routes/v1/certificate-authority-routers/index.ts
+++ b/backend/src/server/routes/v1/certificate-authority-routers/index.ts
@@ -1,6 +1,7 @@
 import { CaType } from "@app/services/certificate-authority/certificate-authority-enums";

 import { registerAcmeCertificateAuthorityRouter } from "./acme-certificate-authority-router";
+import { registerAzureAdCsCertificateAuthorityRouter } from "./azure-ad-cs-certificate-authority-router";
 import { registerInternalCertificateAuthorityRouter } from "./internal-certificate-authority-router";

 export * from "./internal-certificate-authority-router";
@@ -8,5 +9,6 @@ export * from "./internal-certificate-authority-router";
 export const CERTIFICATE_AUTHORITY_REGISTER_ROUTER_MAP: Record<CaType, (server: FastifyZodProvider) => Promise<void>> =
  {
    [CaType.INTERNAL]: registerInternalCertificateAuthorityRouter,
-    [CaType.ACME]: registerAcmeCertificateAuthorityRouter
+    [CaType.ACME]: registerAcmeCertificateAuthorityRouter,
+    [CaType.AZURE_AD_CS]: registerAzureAdCsCertificateAuthorityRouter
  };
--- a/backend/src/server/routes/v1/dashboard-router.ts
+++ b/backend/src/server/routes/v1/dashboard-router.ts
@@ -703,6 +703,9 @@ export const registerDashboardRouter = async (server: FastifyZodProvider) => {
      // prevent older projects from accessing endpoint
      if (!shouldUseSecretV2Bridge) throw new BadRequestError({ message: "Project version not supported" });

+      // verify folder exists and user has project permission
+      await server.services.folder.getFolderByPath({ projectId, environment, secretPath }, req.permission);
+
      const tags = req.query.tags?.split(",") ?? [];

      let remainingLimit = limit;
--- a/backend/src/server/routes/v1/identity-router.ts
+++ b/backend/src/server/routes/v1/identity-router.ts
@@ -250,7 +250,8 @@ export const registerIdentityRouter = async (server: FastifyZodProvider) => {
              description: true
            }).optional(),
            identity: IdentitiesSchema.pick({ name: true, id: true, hasDeleteProtection: true }).extend({
-              authMethods: z.array(z.string())
+              authMethods: z.array(z.string()),
+              activeLockoutAuthMethods: z.array(z.string())
            })
          })
        })
--- a/backend/src/server/routes/v1/identity-universal-auth-router.ts
+++ b/backend/src/server/routes/v1/identity-universal-auth-router.ts
@@ -137,7 +137,21 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
            .min(0)
            .default(0)
            .describe(UNIVERSAL_AUTH.ATTACH.accessTokenNumUsesLimit),
-          accessTokenPeriod: z.number().int().min(0).default(0).describe(UNIVERSAL_AUTH.ATTACH.accessTokenPeriod)
+          accessTokenPeriod: z.number().int().min(0).default(0).describe(UNIVERSAL_AUTH.ATTACH.accessTokenPeriod),
+          lockoutEnabled: z.boolean().default(true).describe(UNIVERSAL_AUTH.ATTACH.lockoutEnabled),
+          lockoutThreshold: z.number().min(1).max(30).default(3).describe(UNIVERSAL_AUTH.ATTACH.lockoutThreshold),
+          lockoutDurationSeconds: z
+            .number()
+            .min(30)
+            .max(86400)
+            .default(300)
+            .describe(UNIVERSAL_AUTH.ATTACH.lockoutDurationSeconds),
+          lockoutCounterResetSeconds: z
+            .number()
+            .min(5)
+            .max(3600)
+            .default(30)
+            .describe(UNIVERSAL_AUTH.ATTACH.lockoutCounterResetSeconds)
        })
        .refine(
          (val) => val.accessTokenTTL <= val.accessTokenMaxTTL,
@@ -171,7 +185,11 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
            accessTokenMaxTTL: identityUniversalAuth.accessTokenMaxTTL,
            accessTokenTrustedIps: identityUniversalAuth.accessTokenTrustedIps as TIdentityTrustedIp[],
            clientSecretTrustedIps: identityUniversalAuth.clientSecretTrustedIps as TIdentityTrustedIp[],
-            accessTokenNumUsesLimit: identityUniversalAuth.accessTokenNumUsesLimit
+            accessTokenNumUsesLimit: identityUniversalAuth.accessTokenNumUsesLimit,
+            lockoutEnabled: identityUniversalAuth.lockoutEnabled,
+            lockoutThreshold: identityUniversalAuth.lockoutThreshold,
+            lockoutDurationSeconds: identityUniversalAuth.lockoutDurationSeconds,
+            lockoutCounterResetSeconds: identityUniversalAuth.lockoutCounterResetSeconds
          }
        }
      });
@@ -243,7 +261,21 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
            .min(0)
            .max(315360000)
            .optional()
-            .describe(UNIVERSAL_AUTH.UPDATE.accessTokenPeriod)
+            .describe(UNIVERSAL_AUTH.UPDATE.accessTokenPeriod),
+          lockoutEnabled: z.boolean().optional().describe(UNIVERSAL_AUTH.UPDATE.lockoutEnabled),
+          lockoutThreshold: z.number().min(1).max(30).optional().describe(UNIVERSAL_AUTH.UPDATE.lockoutThreshold),
+          lockoutDurationSeconds: z
+            .number()
+            .min(30)
+            .max(86400)
+            .optional()
+            .describe(UNIVERSAL_AUTH.UPDATE.lockoutDurationSeconds),
+          lockoutCounterResetSeconds: z
+            .number()
+            .min(5)
+            .max(3600)
+            .optional()
+            .describe(UNIVERSAL_AUTH.UPDATE.lockoutCounterResetSeconds)
        })
        .refine(
          (val) => (val.accessTokenMaxTTL && val.accessTokenTTL ? val.accessTokenTTL <= val.accessTokenMaxTTL : true),
@@ -276,7 +308,11 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
            accessTokenMaxTTL: identityUniversalAuth.accessTokenMaxTTL,
            accessTokenTrustedIps: identityUniversalAuth.accessTokenTrustedIps as TIdentityTrustedIp[],
            clientSecretTrustedIps: identityUniversalAuth.clientSecretTrustedIps as TIdentityTrustedIp[],
-            accessTokenNumUsesLimit: identityUniversalAuth.accessTokenNumUsesLimit
+            accessTokenNumUsesLimit: identityUniversalAuth.accessTokenNumUsesLimit,
+            lockoutEnabled: identityUniversalAuth.lockoutEnabled,
+            lockoutThreshold: identityUniversalAuth.lockoutThreshold,
+            lockoutDurationSeconds: identityUniversalAuth.lockoutDurationSeconds,
+            lockoutCounterResetSeconds: identityUniversalAuth.lockoutCounterResetSeconds
          }
        }
      });
@@ -594,4 +630,53 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
      return { clientSecretData };
    }
  });
+
+  server.route({
+    method: "POST",
+    url: "/universal-auth/identities/:identityId/clear-lockouts",
+    config: {
+      rateLimit: writeLimit
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    schema: {
+      hide: false,
+      tags: [ApiDocsTags.UniversalAuth],
+      description: "Clear Universal Auth Lockouts for identity",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      params: z.object({
+        identityId: z.string().describe(UNIVERSAL_AUTH.CLEAR_CLIENT_LOCKOUTS.identityId)
+      }),
+      response: {
+        200: z.object({
+          deleted: z.number()
+        })
+      }
+    },
+    handler: async (req) => {
+      const clearLockoutsData = await server.services.identityUa.clearUniversalAuthLockouts({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        identityId: req.params.identityId
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: clearLockoutsData.orgId,
+        event: {
+          type: EventType.CLEAR_IDENTITY_UNIVERSAL_AUTH_LOCKOUTS,
+          metadata: {
+            identityId: clearLockoutsData.identityId
+          }
+        }
+      });
+
+      return clearLockoutsData;
+    }
+  });
 };
--- a/backend/src/server/routes/v1/pki-subscriber-router.ts
+++ b/backend/src/server/routes/v1/pki-subscriber-router.ts
@@ -1,3 +1,4 @@
+import RE2 from "re2";
 import { z } from "zod";

 import { CertificatesSchema } from "@app/db/schemas";
@@ -112,7 +113,88 @@ export const registerPkiSubscriberRouter = async (server: FastifyZodProvider) =>
          .transform((arr) => Array.from(new Set(arr)))
          .describe(PKI_SUBSCRIBERS.CREATE.extendedKeyUsages),
        enableAutoRenewal: z.boolean().optional().describe(PKI_SUBSCRIBERS.CREATE.enableAutoRenewal),
-        autoRenewalPeriodInDays: z.number().min(1).optional().describe(PKI_SUBSCRIBERS.CREATE.autoRenewalPeriodInDays)
+        autoRenewalPeriodInDays: z.number().min(1).optional().describe(PKI_SUBSCRIBERS.CREATE.autoRenewalPeriodInDays),
+        properties: z
+          .object({
+            azureTemplateType: z.string().optional().describe("Azure ADCS Certificate Template Type"),
+            organization: z
+              .string()
+              .trim()
+              .min(1)
+              .max(64, "Organization cannot exceed 64 characters")
+              .regex(
+                new RE2('^[^,=+<>#;\\\\"/\\r\\n\\t]*$'),
+                'Organization contains invalid characters: , = + < > # ; \\ " / \\r \\n \\t'
+              )
+              .regex(
+                new RE2("^[^\\\\s\\\\-_.]+.*[^\\\\s\\\\-_.]+$|^[^\\\\s\\\\-_.]{1}$"),
+                "Organization cannot start or end with spaces, hyphens, underscores, or periods"
+              )
+              .optional()
+              .describe("Organization (O) - Maximum 64 characters, no special DN characters"),
+            organizationalUnit: z
+              .string()
+              .trim()
+              .min(1)
+              .max(64, "Organizational Unit cannot exceed 64 characters")
+              .regex(
+                new RE2('^[^,=+<>#;\\\\"/\\r\\n\\t]*$'),
+                'Organizational Unit contains invalid characters: , = + < > # ; \\ " / \\r \\n \\t'
+              )
+              .regex(
+                new RE2("^[^\\\\s\\\\-_.]+.*[^\\\\s\\\\-_.]+$|^[^\\\\s\\\\-_.]{1}$"),
+                "Organizational Unit cannot start or end with spaces, hyphens, underscores, or periods"
+              )
+              .optional()
+              .describe("Organizational Unit (OU) - Maximum 64 characters, no special DN characters"),
+            country: z
+              .string()
+              .trim()
+              .length(2, "Country must be exactly 2 characters")
+              .regex(new RE2("^[A-Z]{2}$"), "Country must be exactly 2 uppercase letters")
+              .optional()
+              .describe("Country (C) - Two uppercase letter country code (e.g., US, CA, GB)"),
+            state: z
+              .string()
+              .trim()
+              .min(1)
+              .max(64, "State cannot exceed 64 characters")
+              .regex(
+                new RE2('^[^,=+<>#;\\\\"/\\r\\n\\t]*$'),
+                'State contains invalid characters: , = + < > # ; \\ " / \\r \\n \\t'
+              )
+              .regex(
+                new RE2("^[^\\\\s\\\\-_.]+.*[^\\\\s\\\\-_.]+$|^[^\\\\s\\\\-_.]{1}$"),
+                "State cannot start or end with spaces, hyphens, underscores, or periods"
+              )
+              .optional()
+              .describe("State/Province (ST) - Maximum 64 characters, no special DN characters"),
+            locality: z
+              .string()
+              .trim()
+              .min(1)
+              .max(64, "Locality cannot exceed 64 characters")
+              .regex(
+                new RE2('^[^,=+<>#;\\\\"/\\r\\n\\t]*$'),
+                'Locality contains invalid characters: , = + < > # ; \\ " / \\r \\n \\t'
+              )
+              .regex(
+                new RE2("^[^\\\\s\\\\-_.]+.*[^\\\\s\\\\-_.]+$|^[^\\\\s\\\\-_.]{1}$"),
+                "Locality cannot start or end with spaces, hyphens, underscores, or periods"
+              )
+              .optional()
+              .describe("Locality (L) - Maximum 64 characters, no special DN characters"),
+            emailAddress: z
+              .string()
+              .trim()
+              .email("Email Address must be a valid email format")
+              .min(6, "Email Address must be at least 6 characters")
+              .max(64, "Email Address cannot exceed 64 characters")
+              .optional()
+              .describe("Email Address - Valid email format between 6 and 64 characters")
+          })
+          .optional()
+          .describe("Additional subscriber properties and subject fields")
      }),
      response: {
        200: sanitizedPkiSubscriber
@@ -199,7 +281,88 @@ export const registerPkiSubscriberRouter = async (server: FastifyZodProvider) =>
          .optional()
          .describe(PKI_SUBSCRIBERS.UPDATE.extendedKeyUsages),
        enableAutoRenewal: z.boolean().optional().describe(PKI_SUBSCRIBERS.UPDATE.enableAutoRenewal),
-        autoRenewalPeriodInDays: z.number().min(1).optional().describe(PKI_SUBSCRIBERS.UPDATE.autoRenewalPeriodInDays)
+        autoRenewalPeriodInDays: z.number().min(1).optional().describe(PKI_SUBSCRIBERS.UPDATE.autoRenewalPeriodInDays),
+        properties: z
+          .object({
+            azureTemplateType: z.string().optional().describe("Azure ADCS Certificate Template Type"),
+            organization: z
+              .string()
+              .trim()
+              .min(1)
+              .max(64, "Organization cannot exceed 64 characters")
+              .regex(
+                new RE2('^[^,=+<>#;\\\\"/\\r\\n\\t]*$'),
+                'Organization contains invalid characters: , = + < > # ; \\ " / \\r \\n \\t'
+              )
+              .regex(
+                new RE2("^[^\\\\s\\\\-_.]+.*[^\\\\s\\\\-_.]+$|^[^\\\\s\\\\-_.]{1}$"),
+                "Organization cannot start or end with spaces, hyphens, underscores, or periods"
+              )
+              .optional()
+              .describe("Organization (O) - Maximum 64 characters, no special DN characters"),
+            organizationalUnit: z
+              .string()
+              .trim()
+              .min(1)
+              .max(64, "Organizational Unit cannot exceed 64 characters")
+              .regex(
+                new RE2('^[^,=+<>#;\\\\"/\\r\\n\\t]*$'),
+                'Organizational Unit contains invalid characters: , = + < > # ; \\ " / \\r \\n \\t'
+              )
+              .regex(
+                new RE2("^[^\\\\s\\\\-_.]+.*[^\\\\s\\\\-_.]+$|^[^\\\\s\\\\-_.]{1}$"),
+                "Organizational Unit cannot start or end with spaces, hyphens, underscores, or periods"
+              )
+              .optional()
+              .describe("Organizational Unit (OU) - Maximum 64 characters, no special DN characters"),
+            country: z
+              .string()
+              .trim()
+              .length(2, "Country must be exactly 2 characters")
+              .regex(new RE2("^[A-Z]{2}$"), "Country must be exactly 2 uppercase letters")
+              .optional()
+              .describe("Country (C) - Two uppercase letter country code (e.g., US, CA, GB)"),
+            state: z
+              .string()
+              .trim()
+              .min(1)
+              .max(64, "State cannot exceed 64 characters")
+              .regex(
+                new RE2('^[^,=+<>#;\\\\"/\\r\\n\\t]*$'),
+                'State contains invalid characters: , = + < > # ; \\ " / \\r \\n \\t'
+              )
+              .regex(
+                new RE2("^[^\\\\s\\\\-_.]+.*[^\\\\s\\\\-_.]+$|^[^\\\\s\\\\-_.]{1}$"),
+                "State cannot start or end with spaces, hyphens, underscores, or periods"
+              )
+              .optional()
+              .describe("State/Province (ST) - Maximum 64 characters, no special DN characters"),
+            locality: z
+              .string()
+              .trim()
+              .min(1)
+              .max(64, "Locality cannot exceed 64 characters")
+              .regex(
+                new RE2('^[^,=+<>#;\\\\"/\\r\\n\\t]*$'),
+                'Locality contains invalid characters: , = + < > # ; \\ " / \\r \\n \\t'
+              )
+              .regex(
+                new RE2("^[^\\\\s\\\\-_.]+.*[^\\\\s\\\\-_.]+$|^[^\\\\s\\\\-_.]{1}$"),
+                "Locality cannot start or end with spaces, hyphens, underscores, or periods"
+              )
+              .optional()
+              .describe("Locality (L) - Maximum 64 characters, no special DN characters"),
+            emailAddress: z
+              .string()
+              .trim()
+              .email("Email Address must be a valid email format")
+              .min(6, "Email Address must be at least 6 characters")
+              .max(64, "Email Address cannot exceed 64 characters")
+              .optional()
+              .describe("Email Address - Valid email format between 6 and 64 characters")
+          })
+          .optional()
+          .describe("Additional subscriber properties and subject fields")
      }),
      response: {
        200: sanitizedPkiSubscriber
--- a/backend/src/server/routes/v2/certificate-authority-router.ts
+++ b/backend/src/server/routes/v2/certificate-authority-router.ts
@@ -6,12 +6,14 @@ import { readLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
 import { AcmeCertificateAuthoritySchema } from "@app/services/certificate-authority/acme/acme-certificate-authority-schemas";
+import { AzureAdCsCertificateAuthoritySchema } from "@app/services/certificate-authority/azure-ad-cs/azure-ad-cs-certificate-authority-schemas";
 import { CaType } from "@app/services/certificate-authority/certificate-authority-enums";
 import { InternalCertificateAuthoritySchema } from "@app/services/certificate-authority/internal/internal-certificate-authority-schemas";

 const CertificateAuthoritySchema = z.discriminatedUnion("type", [
  InternalCertificateAuthoritySchema,
-  AcmeCertificateAuthoritySchema
+  AcmeCertificateAuthoritySchema,
+  AzureAdCsCertificateAuthoritySchema
 ]);

 export const registerCaRouter = async (server: FastifyZodProvider) => {
@@ -52,19 +54,31 @@ export const registerCaRouter = async (server: FastifyZodProvider) => {
        req.permission
      );

+      const azureAdCsCas = await server.services.certificateAuthority.listCertificateAuthoritiesByProjectId(
+        {
+          projectId: req.query.projectId,
+          type: CaType.AZURE_AD_CS
+        },
+        req.permission
+      );
+
      await server.services.auditLog.createAuditLog({
        ...req.auditLogInfo,
        projectId: req.query.projectId,
        event: {
          type: EventType.GET_CAS,
          metadata: {
-            caIds: [...(internalCas ?? []).map((ca) => ca.id), ...(acmeCas ?? []).map((ca) => ca.id)]
+            caIds: [
+              ...(internalCas ?? []).map((ca) => ca.id),
+              ...(acmeCas ?? []).map((ca) => ca.id),
+              ...(azureAdCsCas ?? []).map((ca) => ca.id)
+            ]
          }
        }
      });

      return {
-        certificateAuthorities: [...(internalCas ?? []), ...(acmeCas ?? [])]
+        certificateAuthorities: [...(internalCas ?? []), ...(acmeCas ?? []), ...(azureAdCsCas ?? [])]
      };
    }
  });
--- a/backend/src/server/routes/v3/external-migration-router.ts
+++ b/backend/src/server/routes/v3/external-migration-router.ts
@@ -2,10 +2,13 @@ import fastifyMultipart from "@fastify/multipart";
 import { z } from "zod";

 import { BadRequestError } from "@app/lib/errors";
-import { writeLimit } from "@app/server/config/rateLimiter";
+import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
-import { VaultMappingType } from "@app/services/external-migration/external-migration-types";
+import {
+  ExternalMigrationProviders,
+  VaultMappingType
+} from "@app/services/external-migration/external-migration-types";

 const MB25_IN_BYTES = 26214400;

@@ -66,7 +69,8 @@ export const registerExternalMigrationRouter = async (server: FastifyZodProvider
        vaultAccessToken: z.string(),
        vaultNamespace: z.string().trim().optional(),
        vaultUrl: z.string(),
-        mappingType: z.nativeEnum(VaultMappingType)
+        mappingType: z.nativeEnum(VaultMappingType),
+        gatewayId: z.string().optional()
      })
    },
    onRequest: verifyAuth([AuthMode.JWT]),
@@ -80,4 +84,33 @@ export const registerExternalMigrationRouter = async (server: FastifyZodProvider
      });
    }
  });
+
+  server.route({
+    method: "GET",
+    url: "/custom-migration-enabled/:provider",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      params: z.object({
+        provider: z.nativeEnum(ExternalMigrationProviders)
+      }),
+      response: {
+        200: z.object({
+          enabled: z.boolean()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req) => {
+      const enabled = await server.services.migration.hasCustomVaultMigration({
+        actorId: req.permission.id,
+        actor: req.permission.type,
+        actorOrgId: req.permission.orgId,
+        actorAuthMethod: req.permission.authMethod,
+        provider: req.params.provider
+      });
+      return { enabled };
+    }
+  });
 };
--- a/backend/src/server/routes/v3/secret-router.ts
+++ b/backend/src/server/routes/v3/secret-router.ts
@@ -419,6 +419,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
        200: z.object({
          secret: secretRawSchema.extend({
            secretValueHidden: z.boolean(),
+            secretPath: z.string(),
            tags: SanitizedTagSchema.array().optional(),
            secretMetadata: ResourceMetadataSchema.optional()
          })
--- a/backend/src/services/app-connection/app-connection-enums.ts
+++ b/backend/src/services/app-connection/app-connection-enums.ts
@@ -8,6 +8,7 @@ export enum AppConnection {
  AzureAppConfiguration = "azure-app-configuration",
  AzureClientSecrets = "azure-client-secrets",
  AzureDevOps = "azure-devops",
+  AzureADCS = "azure-adcs",
  Humanitec = "humanitec",
  TerraformCloud = "terraform-cloud",
  Vercel = "vercel",
--- a/backend/src/services/app-connection/app-connection-fns.ts
+++ b/backend/src/services/app-connection/app-connection-fns.ts
@@ -31,6 +31,11 @@ import {
 } from "./app-connection-types";
 import { Auth0ConnectionMethod, getAuth0ConnectionListItem, validateAuth0ConnectionCredentials } from "./auth0";
 import { AwsConnectionMethod, getAwsConnectionListItem, validateAwsConnectionCredentials } from "./aws";
+import { AzureADCSConnectionMethod } from "./azure-adcs";
+import {
+  getAzureADCSConnectionListItem,
+  validateAzureADCSConnectionCredentials
+} from "./azure-adcs/azure-adcs-connection-fns";
 import {
  AzureAppConfigurationConnectionMethod,
  getAzureAppConfigurationConnectionListItem,
@@ -136,6 +141,7 @@ export const listAppConnectionOptions = () => {
    getAzureKeyVaultConnectionListItem(),
    getAzureAppConfigurationConnectionListItem(),
    getAzureDevopsConnectionListItem(),
+    getAzureADCSConnectionListItem(),
    getDatabricksConnectionListItem(),
    getHumanitecConnectionListItem(),
    getTerraformCloudConnectionListItem(),
@@ -227,6 +233,7 @@ export const validateAppConnectionCredentials = async (
    [AppConnection.AzureClientSecrets]:
      validateAzureClientSecretsConnectionCredentials as TAppConnectionCredentialsValidator,
    [AppConnection.AzureDevOps]: validateAzureDevOpsConnectionCredentials as TAppConnectionCredentialsValidator,
+    [AppConnection.AzureADCS]: validateAzureADCSConnectionCredentials as TAppConnectionCredentialsValidator,
    [AppConnection.Humanitec]: validateHumanitecConnectionCredentials as TAppConnectionCredentialsValidator,
    [AppConnection.Postgres]: validateSqlConnectionCredentials as TAppConnectionCredentialsValidator,
    [AppConnection.MsSql]: validateSqlConnectionCredentials as TAppConnectionCredentialsValidator,
@@ -300,6 +307,7 @@ export const getAppConnectionMethodName = (method: TAppConnection["method"]) =>
    case MsSqlConnectionMethod.UsernameAndPassword:
    case MySqlConnectionMethod.UsernameAndPassword:
    case OracleDBConnectionMethod.UsernameAndPassword:
+    case AzureADCSConnectionMethod.UsernamePassword:
      return "Username & Password";
    case WindmillConnectionMethod.AccessToken:
    case HCVaultConnectionMethod.AccessToken:
@@ -357,6 +365,7 @@ export const TRANSITION_CONNECTION_CREDENTIALS_TO_PLATFORM: Record<
  [AppConnection.AzureKeyVault]: platformManagedCredentialsNotSupported,
  [AppConnection.AzureAppConfiguration]: platformManagedCredentialsNotSupported,
  [AppConnection.AzureDevOps]: platformManagedCredentialsNotSupported,
+  [AppConnection.AzureADCS]: platformManagedCredentialsNotSupported,
  [AppConnection.Humanitec]: platformManagedCredentialsNotSupported,
  [AppConnection.Postgres]: transferSqlConnectionCredentialsToPlatform as TAppConnectionTransitionCredentialsToPlatform,
  [AppConnection.MsSql]: transferSqlConnectionCredentialsToPlatform as TAppConnectionTransitionCredentialsToPlatform,
--- a/backend/src/services/app-connection/app-connection-maps.ts
+++ b/backend/src/services/app-connection/app-connection-maps.ts
@@ -9,6 +9,7 @@ export const APP_CONNECTION_NAME_MAP: Record<AppConnection, string> = {
  [AppConnection.AzureAppConfiguration]: "Azure App Configuration",
  [AppConnection.AzureClientSecrets]: "Azure Client Secrets",
  [AppConnection.AzureDevOps]: "Azure DevOps",
+  [AppConnection.AzureADCS]: "Azure ADCS",
  [AppConnection.Databricks]: "Databricks",
  [AppConnection.Humanitec]: "Humanitec",
  [AppConnection.TerraformCloud]: "Terraform Cloud",
@@ -49,6 +50,7 @@ export const APP_CONNECTION_PLAN_MAP: Record<AppConnection, AppConnectionPlanTyp
  [AppConnection.AzureAppConfiguration]: AppConnectionPlanType.Regular,
  [AppConnection.AzureClientSecrets]: AppConnectionPlanType.Regular,
  [AppConnection.AzureDevOps]: AppConnectionPlanType.Regular,
+  [AppConnection.AzureADCS]: AppConnectionPlanType.Regular,
  [AppConnection.Databricks]: AppConnectionPlanType.Regular,
  [AppConnection.Humanitec]: AppConnectionPlanType.Regular,
  [AppConnection.TerraformCloud]: AppConnectionPlanType.Regular,
--- a/backend/src/services/app-connection/app-connection-service.ts
+++ b/backend/src/services/app-connection/app-connection-service.ts
@@ -45,6 +45,7 @@ import {
 import { ValidateAuth0ConnectionCredentialsSchema } from "./auth0";
 import { ValidateAwsConnectionCredentialsSchema } from "./aws";
 import { awsConnectionService } from "./aws/aws-connection-service";
+import { ValidateAzureADCSConnectionCredentialsSchema } from "./azure-adcs/azure-adcs-connection-schemas";
 import { ValidateAzureAppConfigurationConnectionCredentialsSchema } from "./azure-app-configuration";
 import { ValidateAzureClientSecretsConnectionCredentialsSchema } from "./azure-client-secrets";
 import { azureClientSecretsConnectionService } from "./azure-client-secrets/azure-client-secrets-service";
@@ -122,6 +123,7 @@ const VALIDATE_APP_CONNECTION_CREDENTIALS_MAP: Record<AppConnection, TValidateAp
  [AppConnection.AzureKeyVault]: ValidateAzureKeyVaultConnectionCredentialsSchema,
  [AppConnection.AzureAppConfiguration]: ValidateAzureAppConfigurationConnectionCredentialsSchema,
  [AppConnection.AzureDevOps]: ValidateAzureDevOpsConnectionCredentialsSchema,
+  [AppConnection.AzureADCS]: ValidateAzureADCSConnectionCredentialsSchema,
  [AppConnection.Databricks]: ValidateDatabricksConnectionCredentialsSchema,
  [AppConnection.Humanitec]: ValidateHumanitecConnectionCredentialsSchema,
  [AppConnection.TerraformCloud]: ValidateTerraformCloudConnectionCredentialsSchema,
@@ -598,7 +600,7 @@ export const appConnectionServiceFactory = ({
    azureClientSecrets: azureClientSecretsConnectionService(connectAppConnectionById, appConnectionDAL, kmsService),
    azureDevOps: azureDevOpsConnectionService(connectAppConnectionById, appConnectionDAL, kmsService),
    auth0: auth0ConnectionService(connectAppConnectionById, appConnectionDAL, kmsService),
-    hcvault: hcVaultConnectionService(connectAppConnectionById),
+    hcvault: hcVaultConnectionService(connectAppConnectionById, gatewayService),
    windmill: windmillConnectionService(connectAppConnectionById),
    teamcity: teamcityConnectionService(connectAppConnectionById),
    oci: ociConnectionService(connectAppConnectionById, licenseService),
--- a/backend/src/services/app-connection/app-connection-types.ts
+++ b/backend/src/services/app-connection/app-connection-types.ts
@@ -33,6 +33,12 @@ import {
  TAwsConnectionInput,
  TValidateAwsConnectionCredentialsSchema
 } from "./aws";
+import {
+  TAzureADCSConnection,
+  TAzureADCSConnectionConfig,
+  TAzureADCSConnectionInput,
+  TValidateAzureADCSConnectionCredentialsSchema
+} from "./azure-adcs/azure-adcs-connection-types";
 import {
  TAzureAppConfigurationConnection,
  TAzureAppConfigurationConnectionConfig,
@@ -223,6 +229,7 @@ export type TAppConnection = { id: string } & (
  | TAzureKeyVaultConnection
  | TAzureAppConfigurationConnection
  | TAzureDevOpsConnection
+  | TAzureADCSConnection
  | TDatabricksConnection
  | THumanitecConnection
  | TTerraformCloudConnection
@@ -267,6 +274,7 @@ export type TAppConnectionInput = { id: string } & (
  | TAzureKeyVaultConnectionInput
  | TAzureAppConfigurationConnectionInput
  | TAzureDevOpsConnectionInput
+  | TAzureADCSConnectionInput
  | TDatabricksConnectionInput
  | THumanitecConnectionInput
  | TTerraformCloudConnectionInput
@@ -322,6 +330,7 @@ export type TAppConnectionConfig =
  | TAzureKeyVaultConnectionConfig
  | TAzureAppConfigurationConnectionConfig
  | TAzureDevOpsConnectionConfig
+  | TAzureADCSConnectionConfig
  | TAzureClientSecretsConnectionConfig
  | TDatabricksConnectionConfig
  | THumanitecConnectionConfig
@@ -359,6 +368,7 @@ export type TValidateAppConnectionCredentialsSchema =
  | TValidateAzureAppConfigurationConnectionCredentialsSchema
  | TValidateAzureClientSecretsConnectionCredentialsSchema
  | TValidateAzureDevOpsConnectionCredentialsSchema
+  | TValidateAzureADCSConnectionCredentialsSchema
  | TValidateDatabricksConnectionCredentialsSchema
  | TValidateHumanitecConnectionCredentialsSchema
  | TValidatePostgresConnectionCredentialsSchema
--- a/backend/src/services/app-connection/auth0/auth0-connection-fns.ts
+++ b/backend/src/services/app-connection/auth0/auth0-connection-fns.ts
@@ -91,7 +91,7 @@ export const validateAuth0ConnectionCredentials = async ({ credentials }: TAuth0
    };
  } catch (e: unknown) {
    throw new BadRequestError({
-      message: (e as Error).message ?? `Unable to validate connection: verify credentials`
+      message: (e as Error).message ?? "Unable to validate connection: verify credentials"
    });
  }
 };
--- a/backend/src/services/app-connection/azure-adcs/azure-adcs-connection-enums.ts
+++ b/backend/src/services/app-connection/azure-adcs/azure-adcs-connection-enums.ts
@@ -0,0 +1,3 @@
+export enum AzureADCSConnectionMethod {
+  UsernamePassword = "username-password"
+}
--- a/backend/src/services/app-connection/azure-adcs/azure-adcs-connection-fns.ts
+++ b/backend/src/services/app-connection/azure-adcs/azure-adcs-connection-fns.ts
@@ -0,0 +1,455 @@
+/* eslint-disable no-case-declarations, @typescript-eslint/no-unsafe-assignment, @typescript-eslint/no-unsafe-call, @typescript-eslint/no-unsafe-member-access, @typescript-eslint/no-var-requires, no-await-in-loop, no-continue */
+import { NtlmClient } from "axios-ntlm";
+import https from "https";
+
+import { BadRequestError, NotFoundError } from "@app/lib/errors";
+import { blockLocalAndPrivateIpAddresses } from "@app/lib/validator/validate-url";
+import { decryptAppConnectionCredentials } from "@app/services/app-connection/app-connection-fns";
+import { TKmsServiceFactory } from "@app/services/kms/kms-service";
+
+import { TAppConnectionDALFactory } from "../app-connection-dal";
+import { AppConnection } from "../app-connection-enums";
+import { AzureADCSConnectionMethod } from "./azure-adcs-connection-enums";
+import { TAzureADCSConnectionConfig } from "./azure-adcs-connection-types";
+
+// Type definitions for axios-ntlm
+interface AxiosNtlmConfig {
+  ntlm: {
+    domain: string;
+    username: string;
+    password: string;
+  };
+  httpsAgent?: https.Agent;
+  url: string;
+  method?: string;
+  data?: string;
+  headers?: Record<string, string>;
+}
+
+interface AxiosNtlmResponse {
+  status: number;
+  data: string;
+  headers: unknown;
+}
+
+// Types for credential parsing
+interface ParsedCredentials {
+  domain: string;
+  username: string;
+  fullUsername: string; // domain\username format
+}
+
+// Helper function to parse and normalize credentials for Windows authentication
+const parseCredentials = (inputUsername: string): ParsedCredentials => {
+  // Ensure inputUsername is a string
+  if (typeof inputUsername !== "string" || !inputUsername.trim()) {
+    throw new BadRequestError({
+      message: "Username must be a non-empty string"
+    });
+  }
+
+  let domain = "";
+  let username = "";
+  let fullUsername = "";
+
+  if (inputUsername.includes("\\")) {
+    // Already in domain\username format
+    const parts = inputUsername.split("\\");
+    if (parts.length === 2) {
+      [domain, username] = parts;
+      fullUsername = inputUsername;
+    } else {
+      throw new BadRequestError({
+        message: "Invalid domain\\username format. Expected format: DOMAIN\\username"
+      });
+    }
+  } else if (inputUsername.includes("@")) {
+    // UPN format: user@domain.com
+    const [user, domainPart] = inputUsername.split("@");
+    if (!user || !domainPart) {
+      throw new BadRequestError({
+        message: "Invalid UPN format. Expected format: user@domain.com"
+      });
+    }
+
+    username = user;
+    // Extract NetBIOS name from FQDN
+    domain = domainPart.split(".")[0].toUpperCase();
+    fullUsername = `${domain}\\${username}`;
+  } else {
+    // Plain username - assume local account or current domain
+    username = inputUsername;
+    domain = "";
+    fullUsername = inputUsername;
+  }
+
+  return { domain, username, fullUsername };
+};
+
+// Helper to normalize URL
+const normalizeAdcsUrl = (url: string): string => {
+  let normalizedUrl = url.trim();
+
+  // Remove trailing slash
+  normalizedUrl = normalizedUrl.replace(/\/$/, "");
+
+  // Ensure HTTPS protocol
+  if (normalizedUrl.startsWith("http://")) {
+    normalizedUrl = normalizedUrl.replace("http://", "https://");
+  } else if (!normalizedUrl.startsWith("https://")) {
+    normalizedUrl = `https://${normalizedUrl}`;
+  }
+
+  return normalizedUrl;
+};
+
+// NTLM request wrapper
+const createHttpsAgent = (sslRejectUnauthorized: boolean, sslCertificate?: string): https.Agent => {
+  const agentOptions: https.AgentOptions = {
+    rejectUnauthorized: sslRejectUnauthorized,
+    keepAlive: true, // axios-ntlm needs keepAlive for NTLM handshake
+    ca: sslCertificate ? [sslCertificate.trim()] : undefined,
+    // Disable hostname verification as Microsoft servers by default use local IPs for certificates
+    // which may not match the hostname used to connect
+    checkServerIdentity: () => undefined
+  };
+
+  return new https.Agent(agentOptions);
+};
+
+const axiosNtlmRequest = async (config: AxiosNtlmConfig): Promise<AxiosNtlmResponse> => {
+  const method = config.method || "GET";
+
+  const credentials = {
+    username: config.ntlm.username,
+    password: config.ntlm.password,
+    domain: config.ntlm.domain || "",
+    workstation: ""
+  };
+
+  const axiosConfig = {
+    httpsAgent: config.httpsAgent,
+    timeout: 30000
+  };
+
+  const client = NtlmClient(credentials, axiosConfig);
+
+  const requestOptions: { url: string; method: string; data?: string; headers?: Record<string, string> } = {
+    url: config.url,
+    method
+  };
+
+  if (config.data) {
+    requestOptions.data = config.data;
+  }
+
+  if (config.headers) {
+    requestOptions.headers = config.headers;
+  }
+
+  const response = await client(requestOptions);
+
+  return {
+    status: response.status,
+    data: response.data,
+    headers: response.headers
+  };
+};
+
+// Test ADCS connectivity and authentication using NTLM
+const testAdcsConnection = async (
+  credentials: ParsedCredentials,
+  password: string,
+  baseUrl: string,
+  sslRejectUnauthorized: boolean = true,
+  sslCertificate?: string
+): Promise<boolean> => {
+  // Test endpoints in order of preference
+  const testEndpoints = [
+    "/certsrv/certrqus.asp", // Certificate request status (most reliable)
+    "/certsrv/certfnsh.asp", // Certificate finalization
+    "/certsrv/default.asp", // Main ADCS page
+    "/certsrv/" // Root certsrv
+  ];
+
+  for (const endpoint of testEndpoints) {
+    try {
+      const testUrl = `${baseUrl}${endpoint}`;
+
+      const shouldRejectUnauthorized = sslRejectUnauthorized;
+
+      const httpsAgent = createHttpsAgent(shouldRejectUnauthorized, sslCertificate);
+
+      const response = await axiosNtlmRequest({
+        url: testUrl,
+        method: "GET",
+        httpsAgent,
+        ntlm: {
+          domain: credentials.domain,
+          username: credentials.username,
+          password
+        }
+      });
+
+      // Check if we got a successful response
+      if (response.status === 200) {
+        const responseText = response.data;
+
+        // Verify this is actually an ADCS server by checking content
+        const adcsIndicators = [
+          "Microsoft Active Directory Certificate Services",
+          "Certificate Services",
+          "Request a certificate",
+          "certsrv",
+          "Certificate Template",
+          "Web Enrollment"
+        ];
+
+        const isAdcsServer = adcsIndicators.some((indicator) =>
+          responseText.toLowerCase().includes(indicator.toLowerCase())
+        );
+
+        if (isAdcsServer) {
+          // Successfully authenticated and confirmed ADCS
+          return true;
+        }
+      }
+
+      if (response.status === 401) {
+        throw new BadRequestError({
+          message: "Authentication failed. Please verify your credentials are correct."
+        });
+      }
+
+      if (response.status === 403) {
+        throw new BadRequestError({
+          message: "Access denied. Your account may not have permission to access ADCS web enrollment."
+        });
+      }
+    } catch (error) {
+      if (error instanceof BadRequestError) {
+        throw error;
+      }
+
+      // Handle network and connection errors
+      if (error instanceof Error) {
+        if (error.message.includes("ENOTFOUND")) {
+          throw new BadRequestError({
+            message: "Cannot resolve ADCS server hostname. Please verify the URL is correct."
+          });
+        }
+        if (error.message.includes("ECONNREFUSED")) {
+          throw new BadRequestError({
+            message: "Connection refused by ADCS server. Please verify the server is running and accessible."
+          });
+        }
+        if (error.message.includes("ETIMEDOUT") || error.message.includes("timeout")) {
+          throw new BadRequestError({
+            message: "Connection timeout. Please verify the server is accessible and not blocked by firewall."
+          });
+        }
+        if (error.message.includes("certificate") || error.message.includes("SSL") || error.message.includes("TLS")) {
+          throw new BadRequestError({
+            message: `SSL/TLS certificate error: ${error.message}. This may indicate a certificate verification failure.`
+          });
+        }
+        if (error.message.includes("DEPTH_ZERO_SELF_SIGNED_CERT")) {
+          throw new BadRequestError({
+            message:
+              "Self-signed certificate detected. Either provide the server's certificate or set 'sslRejectUnauthorized' to false."
+          });
+        }
+        if (error.message.includes("UNABLE_TO_VERIFY_LEAF_SIGNATURE")) {
+          throw new BadRequestError({
+            message: "Unable to verify certificate signature. Please provide the correct CA certificate."
+          });
+        }
+      }
+
+      // Continue to next endpoint for other errors
+      continue;
+    }
+  }
+
+  // If we get here, no endpoint worked
+  throw new BadRequestError({
+    message: "Could not connect to ADCS server. Please verify the server URL and that Web Enrollment is enabled."
+  });
+};
+
+// Create authenticated NTLM client for ADCS operations
+const createNtlmClient = (
+  username: string,
+  password: string,
+  baseUrl: string,
+  sslRejectUnauthorized: boolean = true,
+  sslCertificate?: string
+) => {
+  const parsedCredentials = parseCredentials(username);
+  const normalizedUrl = normalizeAdcsUrl(baseUrl);
+
+  return {
+    get: async (endpoint: string, additionalHeaders: Record<string, string> = {}) => {
+      const shouldRejectUnauthorized = sslRejectUnauthorized;
+
+      const httpsAgent = createHttpsAgent(shouldRejectUnauthorized, sslCertificate);
+
+      return axiosNtlmRequest({
+        url: `${normalizedUrl}${endpoint}`,
+        method: "GET",
+        httpsAgent,
+        headers: additionalHeaders,
+        ntlm: {
+          domain: parsedCredentials.domain,
+          username: parsedCredentials.username,
+          password
+        }
+      });
+    },
+    post: async (endpoint: string, body: string, additionalHeaders: Record<string, string> = {}) => {
+      const shouldRejectUnauthorized = sslRejectUnauthorized;
+
+      const httpsAgent = createHttpsAgent(shouldRejectUnauthorized, sslCertificate);
+
+      return axiosNtlmRequest({
+        url: `${normalizedUrl}${endpoint}`,
+        method: "POST",
+        httpsAgent,
+        data: body,
+        headers: {
+          "Content-Type": "application/x-www-form-urlencoded",
+          ...additionalHeaders
+        },
+        ntlm: {
+          domain: parsedCredentials.domain,
+          username: parsedCredentials.username,
+          password
+        }
+      });
+    },
+    baseUrl: normalizedUrl,
+    credentials: parsedCredentials
+  };
+};
+
+export const getAzureADCSConnectionCredentials = async (
+  connectionId: string,
+  appConnectionDAL: Pick<TAppConnectionDALFactory, "findById">,
+  kmsService: Pick<TKmsServiceFactory, "createCipherPairWithDataKey">
+) => {
+  const appConnection = await appConnectionDAL.findById(connectionId);
+
+  if (!appConnection) {
+    throw new NotFoundError({ message: `Connection with ID '${connectionId}' not found` });
+  }
+
+  if (appConnection.app !== AppConnection.AzureADCS) {
+    throw new BadRequestError({ message: `Connection with ID '${connectionId}' is not an Azure ADCS connection` });
+  }
+
+  switch (appConnection.method) {
+    case AzureADCSConnectionMethod.UsernamePassword:
+      const credentials = (await decryptAppConnectionCredentials({
+        orgId: appConnection.orgId,
+        kmsService,
+        encryptedCredentials: appConnection.encryptedCredentials
+      })) as {
+        username: string;
+        password: string;
+        adcsUrl: string;
+        sslRejectUnauthorized?: boolean;
+        sslCertificate?: string;
+      };
+
+      return {
+        username: credentials.username,
+        password: credentials.password,
+        adcsUrl: credentials.adcsUrl,
+        sslRejectUnauthorized: credentials.sslRejectUnauthorized ?? true,
+        sslCertificate: credentials.sslCertificate
+      };
+
+    default:
+      throw new BadRequestError({
+        message: `Unsupported Azure ADCS connection method: ${appConnection.method}`
+      });
+  }
+};
+
+export const validateAzureADCSConnectionCredentials = async (appConnection: TAzureADCSConnectionConfig) => {
+  const { credentials } = appConnection;
+
+  try {
+    // Parse and validate credentials
+    const parsedCredentials = parseCredentials(credentials.username);
+    const normalizedUrl = normalizeAdcsUrl(credentials.adcsUrl);
+
+    // Validate URL to prevent DNS manipulation attacks and SSRF
+    await blockLocalAndPrivateIpAddresses(normalizedUrl);
+
+    // Test the connection using NTLM
+    await testAdcsConnection(
+      parsedCredentials,
+      credentials.password,
+      normalizedUrl,
+      credentials.sslRejectUnauthorized ?? true,
+      credentials.sslCertificate
+    );
+
+    // If we get here, authentication was successful
+    return {
+      username: credentials.username,
+      password: credentials.password,
+      adcsUrl: credentials.adcsUrl,
+      sslRejectUnauthorized: credentials.sslRejectUnauthorized ?? true,
+      sslCertificate: credentials.sslCertificate
+    };
+  } catch (error) {
+    if (error instanceof BadRequestError) {
+      throw error;
+    }
+
+    // Handle unexpected errors
+    let errorMessage = "Unable to validate ADCS connection.";
+    if (error instanceof Error) {
+      if (error.message.includes("401") || error.message.includes("Unauthorized")) {
+        errorMessage = "NTLM authentication failed. Please verify your username, password, and domain are correct.";
+      } else if (error.message.includes("ENOTFOUND") || error.message.includes("ECONNREFUSED")) {
+        errorMessage = "Cannot connect to the ADCS server. Please verify the server URL is correct and accessible.";
+      } else if (error.message.includes("timeout")) {
+        errorMessage = "Connection to ADCS server timed out. Please verify the server is accessible.";
+      } else if (
+        error.message.includes("certificate") ||
+        error.message.includes("SSL") ||
+        error.message.includes("TLS") ||
+        error.message.includes("DEPTH_ZERO_SELF_SIGNED_CERT") ||
+        error.message.includes("UNABLE_TO_VERIFY_LEAF_SIGNATURE")
+      ) {
+        errorMessage = `SSL/TLS certificate error: ${error.message}. The server certificate may be self-signed or the CA certificate may be incorrect.`;
+      }
+    }
+
+    throw new BadRequestError({
+      message: `Failed to validate Azure ADCS connection: ${errorMessage} Details: ${
+        error instanceof Error ? error.message : "Unknown error"
+      }`
+    });
+  }
+};
+
+export const getAzureADCSConnectionListItem = () => ({
+  name: "Azure ADCS" as const,
+  app: AppConnection.AzureADCS as const,
+  methods: [AzureADCSConnectionMethod.UsernamePassword] as [AzureADCSConnectionMethod.UsernamePassword]
+});
+
+// Export helper functions for use in certificate ordering
+export const createAdcsHttpClient = (
+  username: string,
+  password: string,
+  baseUrl: string,
+  sslRejectUnauthorized: boolean = true,
+  sslCertificate?: string
+) => {
+  return createNtlmClient(username, password, baseUrl, sslRejectUnauthorized, sslCertificate);
+};
--- a/backend/src/services/app-connection/azure-adcs/azure-adcs-connection-schemas.ts
+++ b/backend/src/services/app-connection/azure-adcs/azure-adcs-connection-schemas.ts
@@ -0,0 +1,88 @@
+import z from "zod";
+
+import { AppConnections } from "@app/lib/api-docs";
+import { AppConnection } from "@app/services/app-connection/app-connection-enums";
+import {
+  BaseAppConnectionSchema,
+  GenericCreateAppConnectionFieldsSchema,
+  GenericUpdateAppConnectionFieldsSchema
+} from "@app/services/app-connection/app-connection-schemas";
+
+import { AzureADCSConnectionMethod } from "./azure-adcs-connection-enums";
+
+export const AzureADCSUsernamePasswordCredentialsSchema = z.object({
+  adcsUrl: z
+    .string()
+    .trim()
+    .min(1, "ADCS URL required")
+    .max(255)
+    .refine((value) => value.startsWith("https://"), "ADCS URL must use HTTPS")
+    .describe(AppConnections.CREDENTIALS.AZURE_ADCS.adcsUrl),
+  username: z
+    .string()
+    .trim()
+    .min(1, "Username required")
+    .max(255)
+    .describe(AppConnections.CREDENTIALS.AZURE_ADCS.username),
+  password: z
+    .string()
+    .trim()
+    .min(1, "Password required")
+    .max(255)
+    .describe(AppConnections.CREDENTIALS.AZURE_ADCS.password),
+  sslRejectUnauthorized: z.boolean().optional().describe(AppConnections.CREDENTIALS.AZURE_ADCS.sslRejectUnauthorized),
+  sslCertificate: z
+    .string()
+    .trim()
+    .transform((value) => value || undefined)
+    .optional()
+    .describe(AppConnections.CREDENTIALS.AZURE_ADCS.sslCertificate)
+});
+
+const BaseAzureADCSConnectionSchema = BaseAppConnectionSchema.extend({ app: z.literal(AppConnection.AzureADCS) });
+
+export const AzureADCSConnectionSchema = BaseAzureADCSConnectionSchema.extend({
+  method: z.literal(AzureADCSConnectionMethod.UsernamePassword),
+  credentials: AzureADCSUsernamePasswordCredentialsSchema
+});
+
+export const SanitizedAzureADCSConnectionSchema = z.discriminatedUnion("method", [
+  BaseAzureADCSConnectionSchema.extend({
+    method: z.literal(AzureADCSConnectionMethod.UsernamePassword),
+    credentials: AzureADCSUsernamePasswordCredentialsSchema.pick({
+      username: true,
+      adcsUrl: true,
+      sslRejectUnauthorized: true,
+      sslCertificate: true
+    })
+  })
+]);
+
+export const ValidateAzureADCSConnectionCredentialsSchema = z.discriminatedUnion("method", [
+  z.object({
+    method: z
+      .literal(AzureADCSConnectionMethod.UsernamePassword)
+      .describe(AppConnections.CREATE(AppConnection.AzureADCS).method),
+    credentials: AzureADCSUsernamePasswordCredentialsSchema.describe(
+      AppConnections.CREATE(AppConnection.AzureADCS).credentials
+    )
+  })
+]);
+
+export const CreateAzureADCSConnectionSchema = ValidateAzureADCSConnectionCredentialsSchema.and(
+  GenericCreateAppConnectionFieldsSchema(AppConnection.AzureADCS)
+);
+
+export const UpdateAzureADCSConnectionSchema = z
+  .object({
+    credentials: AzureADCSUsernamePasswordCredentialsSchema.optional().describe(
+      AppConnections.UPDATE(AppConnection.AzureADCS).credentials
+    )
+  })
+  .and(GenericUpdateAppConnectionFieldsSchema(AppConnection.AzureADCS));
+
+export const AzureADCSConnectionListItemSchema = z.object({
+  name: z.literal("Azure ADCS"),
+  app: z.literal(AppConnection.AzureADCS),
+  methods: z.nativeEnum(AzureADCSConnectionMethod).array()
+});
--- a/backend/src/services/app-connection/azure-adcs/azure-adcs-connection-types.ts
+++ b/backend/src/services/app-connection/azure-adcs/azure-adcs-connection-types.ts
@@ -0,0 +1,23 @@
+import z from "zod";
+
+import { DiscriminativePick } from "@app/lib/types";
+
+import { AppConnection } from "../app-connection-enums";
+import {
+  AzureADCSConnectionSchema,
+  CreateAzureADCSConnectionSchema,
+  ValidateAzureADCSConnectionCredentialsSchema
+} from "./azure-adcs-connection-schemas";
+
+export type TAzureADCSConnection = z.infer<typeof AzureADCSConnectionSchema>;
+
+export type TAzureADCSConnectionInput = z.infer<typeof CreateAzureADCSConnectionSchema> & {
+  app: AppConnection.AzureADCS;
+};
+
+export type TValidateAzureADCSConnectionCredentialsSchema = typeof ValidateAzureADCSConnectionCredentialsSchema;
+
+export type TAzureADCSConnectionConfig = DiscriminativePick<
+  TAzureADCSConnectionInput,
+  "method" | "app" | "credentials"
+>;
--- a/backend/src/services/app-connection/azure-adcs/index.ts
+++ b/backend/src/services/app-connection/azure-adcs/index.ts
@@ -0,0 +1,4 @@
+export * from "./azure-adcs-connection-enums";
+export * from "./azure-adcs-connection-fns";
+export * from "./azure-adcs-connection-schemas";
+export * from "./azure-adcs-connection-types";
--- a/backend/src/services/app-connection/azure-app-configuration/azure-app-configuration-connection-fns.ts
+++ b/backend/src/services/app-connection/azure-app-configuration/azure-app-configuration-connection-fns.ts
@@ -70,7 +70,7 @@ export const validateAzureAppConfigurationConnectionCredentials = async (
          tokenError = e;
        } else {
          throw new BadRequestError({
-            message: `Unable to validate connection: verify credentials`
+            message: "Unable to validate connection: verify credentials"
          });
        }
      }
--- a/backend/src/services/app-connection/azure-client-secrets/azure-client-secrets-connection-fns.ts
+++ b/backend/src/services/app-connection/azure-client-secrets/azure-client-secrets-connection-fns.ts
@@ -186,7 +186,7 @@ export const validateAzureClientSecretsConnectionCredentials = async (config: TA
          tokenError = e;
        } else {
          throw new BadRequestError({
-            message: `Unable to validate connection: verify credentials`
+            message: "Unable to validate connection: verify credentials"
          });
        }
      }
--- a/backend/src/services/app-connection/azure-devops/azure-devops-fns.ts
+++ b/backend/src/services/app-connection/azure-devops/azure-devops-fns.ts
@@ -204,7 +204,7 @@ export const validateAzureDevOpsConnectionCredentials = async (config: TAzureDev
          tokenError = e;
        } else {
          throw new BadRequestError({
-            message: `Unable to validate connection: verify credentials`
+            message: "Unable to validate connection: verify credentials"
          });
        }
      }
--- a/backend/src/services/app-connection/azure-key-vault/azure-key-vault-connection-fns.ts
+++ b/backend/src/services/app-connection/azure-key-vault/azure-key-vault-connection-fns.ts
@@ -186,7 +186,7 @@ export const validateAzureKeyVaultConnectionCredentials = async (config: TAzureK
          tokenError = e;
        } else {
          throw new BadRequestError({
-            message: `Unable to validate connection: verify credentials`
+            message: "Unable to validate connection: verify credentials"
          });
        }
      }
--- a/backend/src/services/app-connection/camunda/camunda-connection-fns.ts
+++ b/backend/src/services/app-connection/camunda/camunda-connection-fns.ts
@@ -82,7 +82,7 @@ export const validateCamundaConnectionCredentials = async (appConnection: TCamun
    };
  } catch (e: unknown) {
    throw new BadRequestError({
-      message: `Unable to validate connection: verify credentials`
+      message: "Unable to validate connection: verify credentials"
    });
  }
 };
--- a/backend/src/services/app-connection/databricks/databricks-connection-fns.ts
+++ b/backend/src/services/app-connection/databricks/databricks-connection-fns.ts
@@ -89,7 +89,7 @@ export const validateDatabricksConnectionCredentials = async (appConnection: TDa
    };
  } catch (e: unknown) {
    throw new BadRequestError({
-      message: `Unable to validate connection: verify credentials`
+      message: "Unable to validate connection: verify credentials"
    });
  }
 };
--- a/backend/src/services/app-connection/github-radar/github-radar-connection-fns.ts
+++ b/backend/src/services/app-connection/github-radar/github-radar-connection-fns.ts
@@ -114,7 +114,7 @@ export const validateGitHubRadarConnectionCredentials = async (config: TGitHubRa
    }

    throw new BadRequestError({
-      message: `Unable to validate connection: verify credentials`
+      message: "Unable to validate connection: verify credentials"
    });
  }

--- a/backend/src/services/app-connection/github/github-connection-fns.ts
+++ b/backend/src/services/app-connection/github/github-connection-fns.ts
@@ -447,7 +447,7 @@ export const validateGitHubConnectionCredentials = async (
    }

    throw new BadRequestError({
-      message: `Unable to validate connection: verify credentials`
+      message: "Unable to validate connection: verify credentials"
    });
  }

--- a/backend/src/services/app-connection/hc-vault/hc-vault-connection-fns.ts
+++ b/backend/src/services/app-connection/hc-vault/hc-vault-connection-fns.ts
@@ -1,18 +1,18 @@
-import { AxiosError } from "axios";
+import { AxiosError, AxiosRequestConfig, AxiosResponse } from "axios";
+import https from "https";

+import { verifyHostInputValidity } from "@app/ee/services/dynamic-secret/dynamic-secret-fns";
+import { TGatewayServiceFactory } from "@app/ee/services/gateway/gateway-service";
 import { request } from "@app/lib/config/request";
 import { BadRequestError } from "@app/lib/errors";
 import { removeTrailingSlash } from "@app/lib/fn";
+import { GatewayProxyProtocol, withGatewayProxy } from "@app/lib/gateway";
+import { logger } from "@app/lib/logger";
 import { blockLocalAndPrivateIpAddresses } from "@app/lib/validator";
 import { AppConnection } from "@app/services/app-connection/app-connection-enums";

 import { HCVaultConnectionMethod } from "./hc-vault-connection-enums";
-import {
-  THCVaultConnection,
-  THCVaultConnectionConfig,
-  THCVaultMountResponse,
-  TValidateHCVaultConnectionCredentials
-} from "./hc-vault-connection-types";
+import { THCVaultConnection, THCVaultConnectionConfig, THCVaultMountResponse } from "./hc-vault-connection-types";

 export const getHCVaultInstanceUrl = async (config: THCVaultConnectionConfig) => {
  const instanceUrl = removeTrailingSlash(config.credentials.instanceUrl);
@@ -37,7 +37,78 @@ type TokenRespData = {
  };
 };

-export const getHCVaultAccessToken = async (connection: TValidateHCVaultConnectionCredentials) => {
+export const requestWithHCVaultGateway = async <T>(
+  appConnection: { gatewayId?: string | null },
+  gatewayService: Pick<TGatewayServiceFactory, "fnGetGatewayClientTlsByGatewayId">,
+  requestConfig: AxiosRequestConfig
+): Promise<AxiosResponse<T>> => {
+  const { gatewayId } = appConnection;
+
+  // If gateway isn't set up, don't proxy request
+  if (!gatewayId) {
+    return request.request(requestConfig);
+  }
+
+  const url = new URL(requestConfig.url as string);
+
+  await blockLocalAndPrivateIpAddresses(url.toString());
+
+  const [targetHost] = await verifyHostInputValidity(url.hostname, true);
+  const relayDetails = await gatewayService.fnGetGatewayClientTlsByGatewayId(gatewayId);
+  const [relayHost, relayPort] = relayDetails.relayAddress.split(":");
+
+  return withGatewayProxy(
+    async (proxyPort) => {
+      const httpsAgent = new https.Agent({
+        servername: targetHost
+      });
+
+      url.protocol = "https:";
+      url.host = `localhost:${proxyPort}`;
+
+      const finalRequestConfig: AxiosRequestConfig = {
+        ...requestConfig,
+        url: url.toString(),
+        httpsAgent,
+        headers: {
+          ...requestConfig.headers,
+          Host: targetHost
+        }
+      };
+
+      try {
+        return await request.request(finalRequestConfig);
+      } catch (error) {
+        if (error instanceof AxiosError) {
+          logger.error(
+            { message: error.message, data: (error.response as undefined | { data: unknown })?.data },
+            "Error during HashiCorp Vault gateway request:"
+          );
+        }
+        throw error;
+      }
+    },
+    {
+      protocol: GatewayProxyProtocol.Tcp,
+      targetHost,
+      targetPort: url.port ? Number(url.port) : 8200, // 8200 is the default port for Vault self-hosted/dedicated
+      relayHost,
+      relayPort: Number(relayPort),
+      identityId: relayDetails.identityId,
+      orgId: relayDetails.orgId,
+      tlsOptions: {
+        ca: relayDetails.certChain,
+        cert: relayDetails.certificate,
+        key: relayDetails.privateKey.toString()
+      }
+    }
+  );
+};
+
+export const getHCVaultAccessToken = async (
+  connection: THCVaultConnection,
+  gatewayService: Pick<TGatewayServiceFactory, "fnGetGatewayClientTlsByGatewayId">
+) => {
  // Return access token directly if not using AppRole method
  if (connection.method !== HCVaultConnectionMethod.AppRole) {
    return connection.credentials.accessToken;
@@ -46,16 +117,16 @@ export const getHCVaultAccessToken = async (connection: TValidateHCVaultConnecti
  // Generate temporary token for AppRole method
  try {
    const { instanceUrl, roleId, secretId } = connection.credentials;
-    const tokenResp = await request.post<TokenRespData>(
-      `${removeTrailingSlash(instanceUrl)}/v1/auth/approle/login`,
-      { role_id: roleId, secret_id: secretId },
-      {
-        headers: {
-          "Content-Type": "application/json",
-          ...(connection.credentials.namespace ? { "X-Vault-Namespace": connection.credentials.namespace } : {})
-        }
-      }
-    );
+
+    const tokenResp = await requestWithHCVaultGateway<TokenRespData>(connection, gatewayService, {
+      url: `${removeTrailingSlash(instanceUrl)}/v1/auth/approle/login`,
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        ...(connection.credentials.namespace ? { "X-Vault-Namespace": connection.credentials.namespace } : {})
+      },
+      data: { role_id: roleId, secret_id: secretId }
+    });

    if (tokenResp.status !== 200) {
      throw new BadRequestError({
@@ -71,38 +142,55 @@ export const getHCVaultAccessToken = async (connection: TValidateHCVaultConnecti
  }
 };

-export const validateHCVaultConnectionCredentials = async (config: THCVaultConnectionConfig) => {
-  const instanceUrl = await getHCVaultInstanceUrl(config);
+export const validateHCVaultConnectionCredentials = async (
+  connection: THCVaultConnection,
+  gatewayService: Pick<TGatewayServiceFactory, "fnGetGatewayClientTlsByGatewayId">
+) => {
+  const instanceUrl = await getHCVaultInstanceUrl(connection);

  try {
-    const accessToken = await getHCVaultAccessToken(config);
+    const accessToken = await getHCVaultAccessToken(connection, gatewayService);

    // Verify token
-    await request.get(`${instanceUrl}/v1/auth/token/lookup-self`, {
+    await requestWithHCVaultGateway(connection, gatewayService, {
+      url: `${instanceUrl}/v1/auth/token/lookup-self`,
+      method: "GET",
      headers: { "X-Vault-Token": accessToken }
    });

-    return config.credentials;
+    return connection.credentials;
  } catch (error: unknown) {
+    logger.error(error, "Unable to verify HC Vault connection");
+
    if (error instanceof AxiosError) {
      throw new BadRequestError({
        message: `Failed to validate credentials: ${error.message || "Unknown error"}`
      });
    }
+
+    if (error instanceof BadRequestError) {
+      throw error;
+    }
+
    throw new BadRequestError({
      message: "Unable to validate connection: verify credentials"
    });
  }
 };

-export const listHCVaultMounts = async (appConnection: THCVaultConnection) => {
-  const instanceUrl = await getHCVaultInstanceUrl(appConnection);
-  const accessToken = await getHCVaultAccessToken(appConnection);
+export const listHCVaultMounts = async (
+  connection: THCVaultConnection,
+  gatewayService: Pick<TGatewayServiceFactory, "fnGetGatewayClientTlsByGatewayId">
+) => {
+  const instanceUrl = await getHCVaultInstanceUrl(connection);
+  const accessToken = await getHCVaultAccessToken(connection, gatewayService);

-  const { data } = await request.get<THCVaultMountResponse>(`${instanceUrl}/v1/sys/mounts`, {
+  const { data } = await requestWithHCVaultGateway<THCVaultMountResponse>(connection, gatewayService, {
+    url: `${instanceUrl}/v1/sys/mounts`,
+    method: "GET",
    headers: {
      "X-Vault-Token": accessToken,
-      ...(appConnection.credentials.namespace ? { "X-Vault-Namespace": appConnection.credentials.namespace } : {})
+      ...(connection.credentials.namespace ? { "X-Vault-Namespace": connection.credentials.namespace } : {})
    }
  });

--- a/backend/src/services/app-connection/hc-vault/hc-vault-connection-schemas.ts
+++ b/backend/src/services/app-connection/hc-vault/hc-vault-connection-schemas.ts
@@ -55,11 +55,18 @@ export const HCVaultConnectionSchema = z.intersection(
 export const SanitizedHCVaultConnectionSchema = z.discriminatedUnion("method", [
  BaseHCVaultConnectionSchema.extend({
    method: z.literal(HCVaultConnectionMethod.AccessToken),
-    credentials: HCVaultConnectionAccessTokenCredentialsSchema.pick({})
+    credentials: HCVaultConnectionAccessTokenCredentialsSchema.pick({
+      namespace: true,
+      instanceUrl: true
+    })
  }),
  BaseHCVaultConnectionSchema.extend({
    method: z.literal(HCVaultConnectionMethod.AppRole),
-    credentials: HCVaultConnectionAppRoleCredentialsSchema.pick({})
+    credentials: HCVaultConnectionAppRoleCredentialsSchema.pick({
+      namespace: true,
+      instanceUrl: true,
+      roleId: true
+    })
  })
 ]);

@@ -81,7 +88,7 @@ export const ValidateHCVaultConnectionCredentialsSchema = z.discriminatedUnion("
 ]);

 export const CreateHCVaultConnectionSchema = ValidateHCVaultConnectionCredentialsSchema.and(
-  GenericCreateAppConnectionFieldsSchema(AppConnection.HCVault)
+  GenericCreateAppConnectionFieldsSchema(AppConnection.HCVault, { supportsGateways: true })
 );

 export const UpdateHCVaultConnectionSchema = z
@@ -91,7 +98,7 @@ export const UpdateHCVaultConnectionSchema = z
      .optional()
      .describe(AppConnections.UPDATE(AppConnection.HCVault).credentials)
  })
-  .and(GenericUpdateAppConnectionFieldsSchema(AppConnection.HCVault));
+  .and(GenericUpdateAppConnectionFieldsSchema(AppConnection.HCVault, { supportsGateways: true }));

 export const HCVaultConnectionListItemSchema = z.object({
  name: z.literal("HCVault"),
--- a/backend/src/services/app-connection/hc-vault/hc-vault-connection-service.ts
+++ b/backend/src/services/app-connection/hc-vault/hc-vault-connection-service.ts
@@ -1,3 +1,4 @@
+import { TGatewayServiceFactory } from "@app/ee/services/gateway/gateway-service";
 import { logger } from "@app/lib/logger";
 import { OrgServiceActor } from "@app/lib/types";

@@ -11,12 +12,15 @@ type TGetAppConnectionFunc = (
  actor: OrgServiceActor
 ) => Promise<THCVaultConnection>;

-export const hcVaultConnectionService = (getAppConnection: TGetAppConnectionFunc) => {
+export const hcVaultConnectionService = (
+  getAppConnection: TGetAppConnectionFunc,
+  gatewayService: Pick<TGatewayServiceFactory, "fnGetGatewayClientTlsByGatewayId">
+) => {
  const listMounts = async (connectionId: string, actor: OrgServiceActor) => {
    const appConnection = await getAppConnection(AppConnection.HCVault, connectionId, actor);

    try {
-      const mounts = await listHCVaultMounts(appConnection);
+      const mounts = await listHCVaultMounts(appConnection, gatewayService);
      return mounts;
    } catch (error) {
      logger.error(error, "Failed to establish connection with Hashicorp Vault");
--- a/backend/src/services/auth/auth-login-service.ts
+++ b/backend/src/services/auth/auth-login-service.ts
@@ -453,19 +453,24 @@ export const authLoginServiceFactory = ({

    const selectedOrg = await orgDAL.findById(organizationId);

-    // Check if authEnforced is true, if that's the case, throw an error
-    if (selectedOrg.authEnforced) {
-      throw new BadRequestError({
-        message: "Authentication is required by your organization before you can log in."
-      });
-    }
-
    if (!selectedOrgMembership) {
      throw new ForbiddenRequestError({
        message: `User does not have access to the organization named ${selectedOrg?.name}`
      });
    }

+    // Check if authEnforced is true and the current auth method is not an enforced method
+    if (
+      selectedOrg.authEnforced &&
+      !isAuthMethodSaml(decodedToken.authMethod) &&
+      decodedToken.authMethod !== AuthMethod.OIDC &&
+      !(selectedOrg.bypassOrgAuthEnabled && selectedOrgMembership.userRole === OrgMembershipRole.Admin)
+    ) {
+      throw new BadRequestError({
+        message: "Login with the auth method required by your organization."
+      });
+    }
+
    if (selectedOrg.googleSsoAuthEnforced && decodedToken.authMethod !== AuthMethod.GOOGLE) {
      const canBypass = selectedOrg.bypassOrgAuthEnabled && selectedOrgMembership.userRole === OrgMembershipRole.Admin;

--- a/backend/src/services/certificate-authority/acme/acme-certificate-authority-fns.ts
+++ b/backend/src/services/certificate-authority/acme/acme-certificate-authority-fns.ts
@@ -64,6 +64,8 @@ type DBConfigurationColumn = {
  directoryUrl: string;
  accountEmail: string;
  hostedZoneId: string;
+  eabKid?: string;
+  eabHmacKey?: string;
 };

 export const castDbEntryToAcmeCertificateAuthority = (
@@ -89,7 +91,9 @@ export const castDbEntryToAcmeCertificateAuthority = (
        hostedZoneId: dbConfigurationCol.hostedZoneId
      },
      directoryUrl: dbConfigurationCol.directoryUrl,
-      accountEmail: dbConfigurationCol.accountEmail
+      accountEmail: dbConfigurationCol.accountEmail,
+      eabKid: dbConfigurationCol.eabKid,
+      eabHmacKey: dbConfigurationCol.eabHmacKey
    },
    status: ca.status as CaStatus
  };
@@ -128,7 +132,7 @@ export const AcmeCertificateAuthorityFns = ({
      });
    }

-    const { dnsAppConnectionId, directoryUrl, accountEmail, dnsProviderConfig } = configuration;
+    const { dnsAppConnectionId, directoryUrl, accountEmail, dnsProviderConfig, eabKid, eabHmacKey } = configuration;
    const appConnection = await appConnectionDAL.findById(dnsAppConnectionId);

    if (!appConnection) {
@@ -171,7 +175,9 @@ export const AcmeCertificateAuthorityFns = ({
              directoryUrl,
              accountEmail,
              dnsProvider: dnsProviderConfig.provider,
-              hostedZoneId: dnsProviderConfig.hostedZoneId
+              hostedZoneId: dnsProviderConfig.hostedZoneId,
+              eabKid,
+              eabHmacKey
            }
          },
          tx
@@ -214,7 +220,7 @@ export const AcmeCertificateAuthorityFns = ({
  }) => {
    const updatedCa = await certificateAuthorityDAL.transaction(async (tx) => {
      if (configuration) {
-        const { dnsAppConnectionId, directoryUrl, accountEmail, dnsProviderConfig } = configuration;
+        const { dnsAppConnectionId, directoryUrl, accountEmail, dnsProviderConfig, eabKid, eabHmacKey } = configuration;
        const appConnection = await appConnectionDAL.findById(dnsAppConnectionId);

        if (!appConnection) {
@@ -254,7 +260,9 @@ export const AcmeCertificateAuthorityFns = ({
              directoryUrl,
              accountEmail,
              dnsProvider: dnsProviderConfig.provider,
-              hostedZoneId: dnsProviderConfig.hostedZoneId
+              hostedZoneId: dnsProviderConfig.hostedZoneId,
+              eabKid,
+              eabHmacKey
            }
          },
          tx
@@ -354,10 +362,19 @@ export const AcmeCertificateAuthorityFns = ({

    await blockLocalAndPrivateIpAddresses(acmeCa.configuration.directoryUrl);

-    const acmeClient = new acme.Client({
+    const acmeClientOptions: acme.ClientOptions = {
      directoryUrl: acmeCa.configuration.directoryUrl,
      accountKey
-    });
+    };
+
+    if (acmeCa.configuration.eabKid && acmeCa.configuration.eabHmacKey) {
+      acmeClientOptions.externalAccountBinding = {
+        kid: acmeCa.configuration.eabKid,
+        hmacKey: acmeCa.configuration.eabHmacKey
+      };
+    }
+
+    const acmeClient = new acme.Client(acmeClientOptions);

    const alg = keyAlgorithmToAlgCfg(CertKeyAlgorithm.RSA_2048);

--- a/backend/src/services/certificate-authority/acme/acme-certificate-authority-schemas.ts
+++ b/backend/src/services/certificate-authority/acme/acme-certificate-authority-schemas.ts
@@ -18,7 +18,9 @@ export const AcmeCertificateAuthorityConfigurationSchema = z.object({
    hostedZoneId: z.string().trim().min(1).describe(CertificateAuthorities.CONFIGURATIONS.ACME.hostedZoneId)
  }),
  directoryUrl: z.string().url().trim().min(1).describe(CertificateAuthorities.CONFIGURATIONS.ACME.directoryUrl),
-  accountEmail: z.string().trim().min(1).describe(CertificateAuthorities.CONFIGURATIONS.ACME.accountEmail)
+  accountEmail: z.string().trim().min(1).describe(CertificateAuthorities.CONFIGURATIONS.ACME.accountEmail),
+  eabKid: z.string().trim().max(64).optional().describe(CertificateAuthorities.CONFIGURATIONS.ACME.eabKid),
+  eabHmacKey: z.string().trim().max(512).optional().describe(CertificateAuthorities.CONFIGURATIONS.ACME.eabHmacKey)
 });

 export const AcmeCertificateAuthorityCredentialsSchema = z.object({
--- a/backend/src/services/certificate-authority/azure-ad-cs/azure-ad-cs-certificate-authority-fns.ts
+++ b/backend/src/services/certificate-authority/azure-ad-cs/azure-ad-cs-certificate-authority-fns.ts
--- a/backend/src/services/certificate-authority/azure-ad-cs/azure-ad-cs-certificate-authority-schemas.ts
+++ b/backend/src/services/certificate-authority/azure-ad-cs/azure-ad-cs-certificate-authority-schemas.ts
@@ -0,0 +1,29 @@
+import { z } from "zod";
+
+import { CaType } from "../certificate-authority-enums";
+import {
+  BaseCertificateAuthoritySchema,
+  GenericCreateCertificateAuthorityFieldsSchema,
+  GenericUpdateCertificateAuthorityFieldsSchema
+} from "../certificate-authority-schemas";
+
+export const AzureAdCsCertificateAuthorityConfigurationSchema = z.object({
+  azureAdcsConnectionId: z.string().uuid().trim().describe("Azure ADCS Connection ID")
+});
+
+export const AzureAdCsCertificateAuthoritySchema = BaseCertificateAuthoritySchema.extend({
+  type: z.literal(CaType.AZURE_AD_CS),
+  configuration: AzureAdCsCertificateAuthorityConfigurationSchema
+});
+
+export const CreateAzureAdCsCertificateAuthoritySchema = GenericCreateCertificateAuthorityFieldsSchema(
+  CaType.AZURE_AD_CS
+).extend({
+  configuration: AzureAdCsCertificateAuthorityConfigurationSchema
+});
+
+export const UpdateAzureAdCsCertificateAuthoritySchema = GenericUpdateCertificateAuthorityFieldsSchema(
+  CaType.AZURE_AD_CS
+).extend({
+  configuration: AzureAdCsCertificateAuthorityConfigurationSchema.optional()
+});
--- a/backend/src/services/certificate-authority/azure-ad-cs/azure-ad-cs-certificate-authority-types.ts
+++ b/backend/src/services/certificate-authority/azure-ad-cs/azure-ad-cs-certificate-authority-types.ts
@@ -0,0 +1,13 @@
+import { z } from "zod";
+
+import {
+  AzureAdCsCertificateAuthoritySchema,
+  CreateAzureAdCsCertificateAuthoritySchema,
+  UpdateAzureAdCsCertificateAuthoritySchema
+} from "./azure-ad-cs-certificate-authority-schemas";
+
+export type TAzureAdCsCertificateAuthority = z.infer<typeof AzureAdCsCertificateAuthoritySchema>;
+
+export type TCreateAzureAdCsCertificateAuthorityDTO = z.infer<typeof CreateAzureAdCsCertificateAuthoritySchema>;
+
+export type TUpdateAzureAdCsCertificateAuthorityDTO = z.infer<typeof UpdateAzureAdCsCertificateAuthoritySchema>;
--- a/backend/src/services/certificate-authority/certificate-authority-enums.ts
+++ b/backend/src/services/certificate-authority/certificate-authority-enums.ts
@@ -1,6 +1,7 @@
 export enum CaType {
  INTERNAL = "internal",
-  ACME = "acme"
+  ACME = "acme",
+  AZURE_AD_CS = "azure-ad-cs"
 }

 export enum InternalCaType {
@@ -17,3 +18,9 @@ export enum CaStatus {
 export enum CaRenewalType {
  EXISTING = "existing"
 }
+
+export enum CaCapability {
+  ISSUE_CERTIFICATES = "issue-certificates",
+  REVOKE_CERTIFICATES = "revoke-certificates",
+  RENEW_CERTIFICATES = "renew-certificates"
+}
--- a/backend/src/services/certificate-authority/certificate-authority-maps.ts
+++ b/backend/src/services/certificate-authority/certificate-authority-maps.ts
@@ -1,6 +1,29 @@
-import { CaType } from "./certificate-authority-enums";
+import { CaCapability, CaType } from "./certificate-authority-enums";

 export const CERTIFICATE_AUTHORITIES_TYPE_MAP: Record<CaType, string> = {
  [CaType.INTERNAL]: "Internal",
-  [CaType.ACME]: "ACME"
+  [CaType.ACME]: "ACME",
+  [CaType.AZURE_AD_CS]: "Azure AD Certificate Service"
+};
+
+export const CERTIFICATE_AUTHORITIES_CAPABILITIES_MAP: Record<CaType, CaCapability[]> = {
+  [CaType.INTERNAL]: [
+    CaCapability.ISSUE_CERTIFICATES,
+    CaCapability.REVOKE_CERTIFICATES,
+    CaCapability.RENEW_CERTIFICATES
+  ],
+  [CaType.ACME]: [CaCapability.ISSUE_CERTIFICATES, CaCapability.REVOKE_CERTIFICATES, CaCapability.RENEW_CERTIFICATES],
+  [CaType.AZURE_AD_CS]: [
+    CaCapability.ISSUE_CERTIFICATES,
+    CaCapability.RENEW_CERTIFICATES
+    // Note: REVOKE_CERTIFICATES intentionally omitted - not supported by ADCS connector
+  ]
+};
+
+/**
+ * Check if a certificate authority type supports a specific capability
+ */
+export const caSupportsCapability = (caType: CaType, capability: CaCapability): boolean => {
+  const capabilities = CERTIFICATE_AUTHORITIES_CAPABILITIES_MAP[caType] || [];
+  return capabilities.includes(capability);
 };
--- a/backend/src/services/certificate-authority/certificate-authority-queue.ts
+++ b/backend/src/services/certificate-authority/certificate-authority-queue.ts
@@ -21,6 +21,7 @@ import { TCertificateSecretDALFactory } from "../certificate/certificate-secret-
 import { TPkiSubscriberDALFactory } from "../pki-subscriber/pki-subscriber-dal";
 import { SubscriberOperationStatus } from "../pki-subscriber/pki-subscriber-types";
 import { AcmeCertificateAuthorityFns } from "./acme/acme-certificate-authority-fns";
+import { AzureAdCsCertificateAuthorityFns } from "./azure-ad-cs/azure-ad-cs-certificate-authority-fns";
 import { TCertificateAuthorityDALFactory } from "./certificate-authority-dal";
 import { CaType } from "./certificate-authority-enums";
 import { keyAlgorithmToAlgCfg } from "./certificate-authority-fns";
@@ -33,7 +34,7 @@ import {

 type TCertificateAuthorityQueueFactoryDep = {
  certificateAuthorityDAL: TCertificateAuthorityDALFactory;
-  appConnectionDAL: Pick<TAppConnectionDALFactory, "findById" | "update">;
+  appConnectionDAL: Pick<TAppConnectionDALFactory, "findById" | "update" | "updateById">;
  appConnectionService: Pick<TAppConnectionServiceFactory, "connectAppConnectionById">;
  externalCertificateAuthorityDAL: Pick<TExternalCertificateAuthorityDALFactory, "create" | "update">;
  keyStore: Pick<TKeyStoreFactory, "acquireLock" | "setItemWithExpiry" | "getItem">;
@@ -82,6 +83,19 @@ export const certificateAuthorityQueueFactory = ({
    projectDAL
  });

+  const azureAdCsFns = AzureAdCsCertificateAuthorityFns({
+    appConnectionDAL,
+    appConnectionService,
+    certificateAuthorityDAL,
+    externalCertificateAuthorityDAL,
+    certificateDAL,
+    certificateBodyDAL,
+    certificateSecretDAL,
+    kmsService,
+    pkiSubscriberDAL,
+    projectDAL
+  });
+
  // TODO 1: auto-periodic rotation
  // TODO 2: manual rotation

@@ -158,6 +172,13 @@ export const certificateAuthorityQueueFactory = ({
            lastOperationMessage: "Certificate ordered successfully",
            lastOperationAt: new Date()
          });
+        } else if (caType === CaType.AZURE_AD_CS) {
+          await azureAdCsFns.orderSubscriberCertificate(subscriberId);
+          await pkiSubscriberDAL.updateById(subscriberId, {
+            lastOperationStatus: SubscriberOperationStatus.SUCCESS,
+            lastOperationMessage: "Certificate ordered successfully",
+            lastOperationAt: new Date()
+          });
        }
      } catch (e: unknown) {
        if (e instanceof Error) {
--- a/backend/src/services/certificate-authority/certificate-authority-service.ts
+++ b/backend/src/services/certificate-authority/certificate-authority-service.ts
@@ -22,6 +22,14 @@ import {
  TCreateAcmeCertificateAuthorityDTO,
  TUpdateAcmeCertificateAuthorityDTO
 } from "./acme/acme-certificate-authority-types";
+import {
+  AzureAdCsCertificateAuthorityFns,
+  castDbEntryToAzureAdCsCertificateAuthority
+} from "./azure-ad-cs/azure-ad-cs-certificate-authority-fns";
+import {
+  TCreateAzureAdCsCertificateAuthorityDTO,
+  TUpdateAzureAdCsCertificateAuthorityDTO
+} from "./azure-ad-cs/azure-ad-cs-certificate-authority-types";
 import { TCertificateAuthorityDALFactory } from "./certificate-authority-dal";
 import { CaType } from "./certificate-authority-enums";
 import {
@@ -34,7 +42,7 @@ import { TInternalCertificateAuthorityServiceFactory } from "./internal/internal
 import { TCreateInternalCertificateAuthorityDTO } from "./internal/internal-certificate-authority-types";

 type TCertificateAuthorityServiceFactoryDep = {
-  appConnectionDAL: Pick<TAppConnectionDALFactory, "findById" | "update">;
+  appConnectionDAL: Pick<TAppConnectionDALFactory, "findById" | "update" | "updateById">;
  appConnectionService: Pick<TAppConnectionServiceFactory, "connectAppConnectionById">;
  certificateAuthorityDAL: Pick<
    TCertificateAuthorityDALFactory,
@@ -91,6 +99,19 @@ export const certificateAuthorityServiceFactory = ({
    projectDAL
  });

+  const azureAdCsFns = AzureAdCsCertificateAuthorityFns({
+    appConnectionDAL,
+    appConnectionService,
+    certificateAuthorityDAL,
+    externalCertificateAuthorityDAL,
+    certificateDAL,
+    certificateBodyDAL,
+    certificateSecretDAL,
+    kmsService,
+    pkiSubscriberDAL,
+    projectDAL
+  });
+
  const createCertificateAuthority = async (
    { type, projectId, name, enableDirectIssuance, configuration, status }: TCreateCertificateAuthorityDTO,
    actor: OrgServiceActor
@@ -146,6 +167,17 @@ export const certificateAuthorityServiceFactory = ({
      });
    }

+    if (type === CaType.AZURE_AD_CS) {
+      return azureAdCsFns.createCertificateAuthority({
+        name,
+        projectId,
+        configuration: configuration as TCreateAzureAdCsCertificateAuthorityDTO["configuration"],
+        enableDirectIssuance,
+        status,
+        actor
+      });
+    }
+
    throw new BadRequestError({ message: "Invalid certificate authority type" });
  };

@@ -205,6 +237,10 @@ export const certificateAuthorityServiceFactory = ({
      return castDbEntryToAcmeCertificateAuthority(certificateAuthority);
    }

+    if (type === CaType.AZURE_AD_CS) {
+      return castDbEntryToAzureAdCsCertificateAuthority(certificateAuthority);
+    }
+
    throw new BadRequestError({ message: "Invalid certificate authority type" });
  };

@@ -249,6 +285,10 @@ export const certificateAuthorityServiceFactory = ({
      return acmeFns.listCertificateAuthorities({ projectId });
    }

+    if (type === CaType.AZURE_AD_CS) {
+      return azureAdCsFns.listCertificateAuthorities({ projectId });
+    }
+
    throw new BadRequestError({ message: "Invalid certificate authority type" });
  };

@@ -323,6 +363,17 @@ export const certificateAuthorityServiceFactory = ({
      });
    }

+    if (type === CaType.AZURE_AD_CS) {
+      return azureAdCsFns.updateCertificateAuthority({
+        id: certificateAuthority.id,
+        configuration: configuration as TUpdateAzureAdCsCertificateAuthorityDTO["configuration"],
+        enableDirectIssuance,
+        actor,
+        status,
+        name
+      });
+    }
+
    throw new BadRequestError({ message: "Invalid certificate authority type" });
  };

@@ -384,14 +435,54 @@ export const certificateAuthorityServiceFactory = ({
      return castDbEntryToAcmeCertificateAuthority(certificateAuthority);
    }

+    if (type === CaType.AZURE_AD_CS) {
+      return castDbEntryToAzureAdCsCertificateAuthority(certificateAuthority);
+    }
+
    throw new BadRequestError({ message: "Invalid certificate authority type" });
  };

+  const getAzureAdcsTemplates = async ({
+    caId,
+    projectId,
+    actor,
+    actorId,
+    actorAuthMethod,
+    actorOrgId
+  }: {
+    caId: string;
+    projectId: string;
+    actor: OrgServiceActor["type"];
+    actorId: string;
+    actorAuthMethod: OrgServiceActor["authMethod"];
+    actorOrgId?: string;
+  }) => {
+    const { permission } = await permissionService.getProjectPermission({
+      actor,
+      actorId,
+      projectId,
+      actorAuthMethod,
+      actorOrgId,
+      actionProjectType: ActionProjectType.CertificateManager
+    });
+
+    ForbiddenError.from(permission).throwUnlessCan(
+      ProjectPermissionActions.Read,
+      ProjectPermissionSub.CertificateAuthorities
+    );
+
+    return azureAdCsFns.getTemplates({
+      caId,
+      projectId
+    });
+  };
+
  return {
    createCertificateAuthority,
    findCertificateAuthorityByNameAndProjectId,
    listCertificateAuthoritiesByProjectId,
    updateCertificateAuthority,
-    deleteCertificateAuthority
+    deleteCertificateAuthority,
+    getAzureAdcsTemplates
  };
 };
--- a/backend/src/services/certificate-authority/certificate-authority-types.ts
+++ b/backend/src/services/certificate-authority/certificate-authority-types.ts
@@ -1,13 +1,23 @@
 import { TAcmeCertificateAuthority, TAcmeCertificateAuthorityInput } from "./acme/acme-certificate-authority-types";
+import {
+  TAzureAdCsCertificateAuthority,
+  TCreateAzureAdCsCertificateAuthorityDTO
+} from "./azure-ad-cs/azure-ad-cs-certificate-authority-types";
 import { CaType } from "./certificate-authority-enums";
 import {
  TInternalCertificateAuthority,
  TInternalCertificateAuthorityInput
 } from "./internal/internal-certificate-authority-types";

-export type TCertificateAuthority = TInternalCertificateAuthority | TAcmeCertificateAuthority;
+export type TCertificateAuthority =
+  | TInternalCertificateAuthority
+  | TAcmeCertificateAuthority
+  | TAzureAdCsCertificateAuthority;

-export type TCertificateAuthorityInput = TInternalCertificateAuthorityInput | TAcmeCertificateAuthorityInput;
+export type TCertificateAuthorityInput =
+  | TInternalCertificateAuthorityInput
+  | TAcmeCertificateAuthorityInput
+  | TCreateAzureAdCsCertificateAuthorityDTO;

 export type TCreateCertificateAuthorityDTO = Omit<TCertificateAuthority, "id">;

--- a/backend/src/services/certificate-authority/internal/internal-certificate-authority-fns.ts
+++ b/backend/src/services/certificate-authority/internal/internal-certificate-authority-fns.ts
@@ -36,12 +36,18 @@ import { validateAndMapAltNameType } from "../certificate-authority-validators";
 import { TIssueCertWithTemplateDTO } from "./internal-certificate-authority-types";

 type TInternalCertificateAuthorityFnsDeps = {
-  certificateAuthorityDAL: Pick<TCertificateAuthorityDALFactory, "findByIdWithAssociatedCa" | "findById">;
+  certificateAuthorityDAL: Pick<
+    TCertificateAuthorityDALFactory,
+    "findByIdWithAssociatedCa" | "findById" | "create" | "transaction" | "updateById" | "findWithAssociatedCa"
+  >;
  certificateAuthorityCertDAL: Pick<TCertificateAuthorityCertDALFactory, "findById">;
  certificateAuthoritySecretDAL: Pick<TCertificateAuthoritySecretDALFactory, "findOne">;
  certificateAuthorityCrlDAL: Pick<TCertificateAuthorityCrlDALFactory, "findOne">;
  projectDAL: Pick<TProjectDALFactory, "findById" | "transaction" | "findOne" | "updateById">;
-  kmsService: Pick<TKmsServiceFactory, "decryptWithKmsKey" | "encryptWithKmsKey" | "generateKmsKey">;
+  kmsService: Pick<
+    TKmsServiceFactory,
+    "decryptWithKmsKey" | "encryptWithKmsKey" | "generateKmsKey" | "createCipherPairWithDataKey"
+  >;
  certificateDAL: Pick<TCertificateDALFactory, "create" | "transaction">;
  certificateBodyDAL: Pick<TCertificateBodyDALFactory, "create">;
  certificateSecretDAL: Pick<TCertificateSecretDALFactory, "create">;
--- a/backend/src/services/certificate-authority/internal/internal-certificate-authority-service.ts
+++ b/backend/src/services/certificate-authority/internal/internal-certificate-authority-service.ts
@@ -1190,7 +1190,9 @@ export const internalCertificateAuthorityServiceFactory = ({
        });
      }

-      collectionId = certificateTemplate.pkiCollectionId as string;
+      if (!collectionId) {
+        collectionId = certificateTemplate.pkiCollectionId as string;
+      }
      ca = await certificateAuthorityDAL.findByIdWithAssociatedCa(certificateTemplate.caId);
    }

--- a/backend/src/services/certificate/certificate-service.ts
+++ b/backend/src/services/certificate/certificate-service.ts
@@ -14,6 +14,8 @@ import { TCertificateBodyDALFactory } from "@app/services/certificate/certificat
 import { TCertificateDALFactory } from "@app/services/certificate/certificate-dal";
 import { TCertificateAuthorityCertDALFactory } from "@app/services/certificate-authority/certificate-authority-cert-dal";
 import { TCertificateAuthorityDALFactory } from "@app/services/certificate-authority/certificate-authority-dal";
+import { CaCapability, CaType } from "@app/services/certificate-authority/certificate-authority-enums";
+import { caSupportsCapability } from "@app/services/certificate-authority/certificate-authority-maps";
 import { TCertificateAuthoritySecretDALFactory } from "@app/services/certificate-authority/certificate-authority-secret-dal";
 import { TKmsServiceFactory } from "@app/services/kms/kms-service";
 import { TPkiCollectionDALFactory } from "@app/services/pki-collection/pki-collection-dal";
@@ -184,9 +186,11 @@ export const certificateServiceFactory = ({

    const ca = await certificateAuthorityDAL.findByIdWithAssociatedCa(cert.caId);

-    if (ca.externalCa?.id) {
+    // Check if the CA type supports revocation
+    const caType = (ca.externalCa?.type as CaType) ?? CaType.INTERNAL;
+    if (!caSupportsCapability(caType, CaCapability.REVOKE_CERTIFICATES)) {
      throw new BadRequestError({
-        message: "Cannot revoke external certificates"
+        message: "Certificate revocation is not supported by this certificate authority type"
      });
    }

@@ -218,18 +222,37 @@ export const certificateServiceFactory = ({
      }
    );

-    // rebuild CRL (TODO: move to interval-based cron job)
-    await rebuildCaCrl({
-      caId: ca.id,
-      certificateAuthorityDAL,
-      certificateAuthorityCrlDAL,
-      certificateAuthoritySecretDAL,
-      projectDAL,
-      certificateDAL,
-      kmsService
-    });
+    // Note: External CA revocation handling would go here for supported CA types
+    // Currently, only internal CAs and ACME CAs support revocation

-    return { revokedAt, cert, ca: expandInternalCa(ca) };
+    // rebuild CRL (TODO: move to interval-based cron job)
+    // Only rebuild CRL for internal CAs - external CAs manage their own CRLs
+    if (!ca.externalCa?.id) {
+      await rebuildCaCrl({
+        caId: ca.id,
+        certificateAuthorityDAL,
+        certificateAuthorityCrlDAL,
+        certificateAuthoritySecretDAL,
+        projectDAL,
+        certificateDAL,
+        kmsService
+      });
+    }
+
+    // Return appropriate CA format based on CA type
+    const caResult = ca.externalCa?.id
+      ? {
+          id: ca.id,
+          name: ca.name,
+          projectId: ca.projectId,
+          status: ca.status,
+          enableDirectIssuance: ca.enableDirectIssuance,
+          type: ca.externalCa.type,
+          externalCa: ca.externalCa
+        }
+      : expandInternalCa(ca);
+
+    return { revokedAt, cert, ca: caResult };
  };

  /**
--- a/backend/src/services/external-migration/external-migration-fns/vault.ts
+++ b/backend/src/services/external-migration/external-migration-fns/vault.ts
@@ -1,12 +1,21 @@
+import https from "node:https";
+
 import axios, { AxiosInstance } from "axios";
 import { v4 as uuidv4 } from "uuid";

+import { TGatewayServiceFactory } from "@app/ee/services/gateway/gateway-service";
 import { BadRequestError } from "@app/lib/errors";
+import { GatewayProxyProtocol, withGatewayProxy } from "@app/lib/gateway";
 import { logger } from "@app/lib/logger";
 import { blockLocalAndPrivateIpAddresses } from "@app/lib/validator";

 import { InfisicalImportData, VaultMappingType } from "../external-migration-types";

+enum KvVersion {
+  V1 = "1",
+  V2 = "2"
+}
+
 type VaultData = {
  namespace: string;
  mount: string;
@@ -14,7 +23,42 @@ type VaultData = {
  secretData: Record<string, string>;
 };

-const vaultFactory = () => {
+const vaultFactory = (gatewayService: Pick<TGatewayServiceFactory, "fnGetGatewayClientTlsByGatewayId">) => {
+  const $gatewayProxyWrapper = async <T>(
+    inputs: {
+      gatewayId: string;
+      targetHost?: string;
+      targetPort?: number;
+    },
+    gatewayCallback: (host: string, port: number, httpsAgent?: https.Agent) => Promise<T>
+  ): Promise<T> => {
+    const relayDetails = await gatewayService.fnGetGatewayClientTlsByGatewayId(inputs.gatewayId);
+    const [relayHost, relayPort] = relayDetails.relayAddress.split(":");
+
+    const callbackResult = await withGatewayProxy(
+      async (port, httpsAgent) => {
+        const res = await gatewayCallback("http://localhost", port, httpsAgent);
+        return res;
+      },
+      {
+        protocol: GatewayProxyProtocol.Http,
+        targetHost: inputs.targetHost,
+        targetPort: inputs.targetPort,
+        relayHost,
+        relayPort: Number(relayPort),
+        identityId: relayDetails.identityId,
+        orgId: relayDetails.orgId,
+        tlsOptions: {
+          ca: relayDetails.certChain,
+          cert: relayDetails.certificate,
+          key: relayDetails.privateKey.toString()
+        }
+      }
+    );
+
+    return callbackResult;
+  };
+
  const getMounts = async (request: AxiosInstance) => {
    const response = await request
      .get<{
@@ -31,11 +75,24 @@ const vaultFactory = () => {

  const getPaths = async (
    request: AxiosInstance,
-    { mountPath, secretPath = "" }: { mountPath: string; secretPath?: string }
+    { mountPath, secretPath = "" }: { mountPath: string; secretPath?: string },
+    kvVersion: KvVersion
  ) => {
    try {
-      // For KV v2: /v1/{mount}/metadata/{path}?list=true
-      const path = secretPath ? `${mountPath}/metadata/${secretPath}` : `${mountPath}/metadata`;
+      if (kvVersion === KvVersion.V2) {
+        // For KV v2: /v1/{mount}/metadata/{path}?list=true
+        const path = secretPath ? `${mountPath}/metadata/${secretPath}` : `${mountPath}/metadata`;
+        const response = await request.get<{
+          data: {
+            keys: string[];
+          };
+        }>(`/v1/${path}?list=true`);
+
+        return response.data.data.keys;
+      }
+
+      // kv version v1: /v1/{mount}?list=true
+      const path = secretPath ? `${mountPath}/${secretPath}` : mountPath;
      const response = await request.get<{
        data: {
          keys: string[];
@@ -56,21 +113,42 @@ const vaultFactory = () => {

  const getSecrets = async (
    request: AxiosInstance,
-    { mountPath, secretPath }: { mountPath: string; secretPath: string }
+    { mountPath, secretPath }: { mountPath: string; secretPath: string },
+    kvVersion: KvVersion
  ) => {
-    // For KV v2: /v1/{mount}/data/{path}
+    if (kvVersion === KvVersion.V2) {
+      // For KV v2: /v1/{mount}/data/{path}
+      const response = await request
+        .get<{
+          data: {
+            data: Record<string, string>; // KV v2 has nested data structure
+            metadata: {
+              created_time: string;
+              deletion_time: string;
+              destroyed: boolean;
+              version: number;
+            };
+          };
+        }>(`/v1/${mountPath}/data/${secretPath}`)
+        .catch((err) => {
+          if (axios.isAxiosError(err)) {
+            logger.error(err.response?.data, "External migration: Failed to get Vault secret");
+          }
+          throw err;
+        });
+
+      return response.data.data.data;
+    }
+
+    // kv version v1
+
    const response = await request
      .get<{
-        data: {
-          data: Record<string, string>; // KV v2 has nested data structure
-          metadata: {
-            created_time: string;
-            deletion_time: string;
-            destroyed: boolean;
-            version: number;
-          };
-        };
-      }>(`/v1/${mountPath}/data/${secretPath}`)
+        data: Record<string, string>; // KV v1 has flat data structure
+        lease_duration: number;
+        lease_id: string;
+        renewable: boolean;
+      }>(`/v1/${mountPath}/${secretPath}`)
      .catch((err) => {
        if (axios.isAxiosError(err)) {
          logger.error(err.response?.data, "External migration: Failed to get Vault secret");
@@ -78,7 +156,7 @@ const vaultFactory = () => {
        throw err;
      });

-    return response.data.data.data;
+    return response.data.data;
  };

  // helper function to check if a mount is KV v2 (will be useful if we add support for Vault KV v1)
@@ -89,9 +167,10 @@ const vaultFactory = () => {
  const recursivelyGetAllPaths = async (
    request: AxiosInstance,
    mountPath: string,
+    kvVersion: KvVersion,
    currentPath: string = ""
  ): Promise<string[]> => {
-    const paths = await getPaths(request, { mountPath, secretPath: currentPath });
+    const paths = await getPaths(request, { mountPath, secretPath: currentPath }, kvVersion);

    if (paths === null || paths.length === 0) {
      return [];
@@ -105,7 +184,7 @@ const vaultFactory = () => {

      if (path.endsWith("/")) {
        // it's a folder so we recurse into it
-        const subSecrets = await recursivelyGetAllPaths(request, mountPath, fullItemPath);
+        const subSecrets = await recursivelyGetAllPaths(request, mountPath, kvVersion, fullItemPath);
        allSecrets.push(...subSecrets);
      } else {
        // it's a secret so we add it to our results
@@ -119,60 +198,93 @@ const vaultFactory = () => {
  async function collectVaultData({
    baseUrl,
    namespace,
-    accessToken
+    accessToken,
+    gatewayId
  }: {
    baseUrl: string;
    namespace?: string;
    accessToken: string;
+    gatewayId?: string;
  }): Promise<VaultData[]> {
-    const request = axios.create({
-      baseURL: baseUrl,
-      headers: {
-        "X-Vault-Token": accessToken,
-        ...(namespace ? { "X-Vault-Namespace": namespace } : {})
+    const getData = async (host: string, port?: number, httpsAgent?: https.Agent) => {
+      const allData: VaultData[] = [];
+
+      const request = axios.create({
+        baseURL: port ? `${host}:${port}` : host,
+        headers: {
+          "X-Vault-Token": accessToken,
+          ...(namespace ? { "X-Vault-Namespace": namespace } : {})
+        },
+        httpsAgent
+      });
+
+      // Get all mounts in this namespace
+      const mounts = await getMounts(request);
+
+      for (const mount of Object.keys(mounts)) {
+        if (!mount.endsWith("/")) {
+          delete mounts[mount];
+        }
      }
-    });

-    const allData: VaultData[] = [];
+      for await (const [mountPath, mountInfo] of Object.entries(mounts)) {
+        // skip non-KV mounts
+        if (!mountInfo.type.startsWith("kv")) {
+          // eslint-disable-next-line no-continue
+          continue;
+        }

-    // Get all mounts in this namespace
-    const mounts = await getMounts(request);
+        const kvVersion = mountInfo.options?.version === "2" ? KvVersion.V2 : KvVersion.V1;

-    for (const mount of Object.keys(mounts)) {
-      if (!mount.endsWith("/")) {
-        delete mounts[mount];
+        // get all paths in this mount
+        const paths = await recursivelyGetAllPaths(request, `${mountPath.replace(/\/$/, "")}`, kvVersion);
+
+        const cleanMountPath = mountPath.replace(/\/$/, "");
+
+        for await (const secretPath of paths) {
+          // get the actual secret data
+          const secretData = await getSecrets(
+            request,
+            {
+              mountPath: cleanMountPath,
+              secretPath: secretPath.replace(`${cleanMountPath}/`, "")
+            },
+            kvVersion
+          );
+
+          allData.push({
+            namespace: namespace || "",
+            mount: mountPath.replace(/\/$/, ""),
+            path: secretPath.replace(`${cleanMountPath}/`, ""),
+            secretData
+          });
+        }
      }
+
+      return allData;
+    };
+
+    let data;
+
+    if (gatewayId) {
+      const url = new URL(baseUrl);
+
+      const { port, protocol, hostname } = url;
+      const cleanedProtocol = protocol.slice(0, -1);
+
+      data = await $gatewayProxyWrapper(
+        {
+          gatewayId,
+          targetHost: `${cleanedProtocol}://${hostname}`,
+          targetPort: port ? Number(port) : 8200 // 8200, default port for Vault self-hosted/dedicated
+        },
+        getData
+      );
+    } else {
+      data = await getData(baseUrl);
    }

-    for await (const [mountPath, mountInfo] of Object.entries(mounts)) {
-      // skip non-KV mounts
-      if (!mountInfo.type.startsWith("kv")) {
-        // eslint-disable-next-line no-continue
-        continue;
-      }
-
-      // get all paths in this mount
-      const paths = await recursivelyGetAllPaths(request, `${mountPath.replace(/\/$/, "")}`);
-
-      const cleanMountPath = mountPath.replace(/\/$/, "");
-
-      for await (const secretPath of paths) {
-        // get the actual secret data
-        const secretData = await getSecrets(request, {
-          mountPath: cleanMountPath,
-          secretPath: secretPath.replace(`${cleanMountPath}/`, "")
-        });
-
-        allData.push({
-          namespace: namespace || "",
-          mount: mountPath.replace(/\/$/, ""),
-          path: secretPath.replace(`${cleanMountPath}/`, ""),
-          secretData
-        });
-      }
-    }
-
-    return allData;
+    return data;
  }

  return {
@@ -296,17 +408,126 @@ export const transformToInfisicalFormatNamespaceToProjects = (
  };
 };

-export const importVaultDataFn = async ({
-  vaultAccessToken,
-  vaultNamespace,
-  vaultUrl,
-  mappingType
-}: {
-  vaultAccessToken: string;
-  vaultNamespace?: string;
-  vaultUrl: string;
-  mappingType: VaultMappingType;
-}) => {
+export const transformToInfisicalFormatKeyVaultToProjectsCustomC1 = (vaultData: VaultData[]): InfisicalImportData => {
+  const projects: Array<{ name: string; id: string }> = [];
+  const environments: Array<{ name: string; id: string; projectId: string; envParentId?: string }> = [];
+  const folders: Array<{ id: string; name: string; environmentId: string; parentFolderId?: string }> = [];
+  const secrets: Array<{ id: string; name: string; environmentId: string; value: string; folderId?: string }> = [];
+
+  // track created entities to avoid duplicates
+  const projectMap = new Map<string, string>(); // team name -> projectId
+  const environmentMap = new Map<string, string>(); // team-name:envName -> environmentId
+  const folderMap = new Map<string, string>(); // team-name:envName:folderPath -> folderId
+
+  for (const data of vaultData) {
+    const { path, secretData } = data;
+
+    const pathParts = path.split("/").filter(Boolean);
+    if (pathParts.length < 2) {
+      // eslint-disable-next-line no-continue
+      continue;
+    }
+
+    // first level: environment (dev, prod, staging, etc.)
+    const environmentName = pathParts[0];
+    // second level: team name (team1, team2, etc.)
+    const teamName = pathParts[1];
+    // remaining parts: folder structure
+    const folderParts = pathParts.slice(2);
+
+    // create project (team) if if doesn't exist
+    if (!projectMap.has(teamName)) {
+      const projectId = uuidv4();
+      projectMap.set(teamName, projectId);
+      projects.push({
+        name: teamName,
+        id: projectId
+      });
+    }
+    const projectId = projectMap.get(teamName)!;
+
+    // create environment (dev, prod, etc.) for team
+    const envKey = `${teamName}:${environmentName}`;
+    if (!environmentMap.has(envKey)) {
+      const environmentId = uuidv4();
+      environmentMap.set(envKey, environmentId);
+      environments.push({
+        name: environmentName,
+        id: environmentId,
+        projectId
+      });
+    }
+    const environmentId = environmentMap.get(envKey)!;
+
+    // create folder structure for path segments
+    let currentFolderId: string | undefined;
+    let currentPath = "";
+
+    for (const folderName of folderParts) {
+      currentPath = currentPath ? `${currentPath}/${folderName}` : folderName;
+      const folderKey = `${teamName}:${environmentName}:${currentPath}`;
+
+      if (!folderMap.has(folderKey)) {
+        const folderId = uuidv4();
+        folderMap.set(folderKey, folderId);
+        folders.push({
+          id: folderId,
+          name: folderName,
+          environmentId,
+          parentFolderId: currentFolderId || environmentId
+        });
+        currentFolderId = folderId;
+      } else {
+        currentFolderId = folderMap.get(folderKey)!;
+      }
+    }
+
+    for (const [key, value] of Object.entries(secretData)) {
+      secrets.push({
+        id: uuidv4(),
+        name: key,
+        environmentId,
+        value: String(value),
+        folderId: currentFolderId
+      });
+    }
+  }
+
+  return {
+    projects,
+    environments,
+    folders,
+    secrets
+  };
+};
+
+// refer to internal doc for more details on which ID's belong to which orgs.
+// when its a custom migration, then it doesn't matter which mapping type is used (as of now).
+export const vaultMigrationTransformMappings: Record<
+  string,
+  (vaultData: VaultData[], mappingType: VaultMappingType) => InfisicalImportData
+> = {
+  "68c57ab3-cea5-41fc-ae38-e156b10c14d2": transformToInfisicalFormatKeyVaultToProjectsCustomC1
+} as const;
+
+export const importVaultDataFn = async (
+  {
+    vaultAccessToken,
+    vaultNamespace,
+    vaultUrl,
+    mappingType,
+    gatewayId,
+    orgId
+  }: {
+    vaultAccessToken: string;
+    vaultNamespace?: string;
+    vaultUrl: string;
+    mappingType: VaultMappingType;
+    gatewayId?: string;
+    orgId: string;
+  },
+  { gatewayService }: { gatewayService: Pick<TGatewayServiceFactory, "fnGetGatewayClientTlsByGatewayId"> }
+) => {
  await blockLocalAndPrivateIpAddresses(vaultUrl);

  if (mappingType === VaultMappingType.Namespace && !vaultNamespace) {
@@ -315,15 +536,33 @@ export const importVaultDataFn = async ({
    });
  }

-  const vaultApi = vaultFactory();
+  let transformFn: (vaultData: VaultData[], mappingType: VaultMappingType) => InfisicalImportData;
+
+  if (mappingType === VaultMappingType.Custom) {
+    transformFn = vaultMigrationTransformMappings[orgId];
+
+    if (!transformFn) {
+      throw new BadRequestError({
+        message: "Please contact our sales team to enable custom vault migrations."
+      });
+    }
+  } else {
+    transformFn = transformToInfisicalFormatNamespaceToProjects;
+  }
+
+  logger.info(
+    { orgId, mappingType },
+    `[importVaultDataFn]: Running ${orgId in vaultMigrationTransformMappings ? "custom" : "default"} transform`
+  );
+
+  const vaultApi = vaultFactory(gatewayService);

  const vaultData = await vaultApi.collectVaultData({
    accessToken: vaultAccessToken,
    baseUrl: vaultUrl,
-    namespace: vaultNamespace
+    namespace: vaultNamespace,
+    gatewayId
  });

-  const infisicalData = transformToInfisicalFormatNamespaceToProjects(vaultData, mappingType);
-
-  return infisicalData;
+  return transformFn(vaultData, mappingType);
 };
--- a/backend/src/services/external-migration/external-migration-service.ts
+++ b/backend/src/services/external-migration/external-migration-service.ts
@@ -1,17 +1,30 @@
 import { OrgMembershipRole } from "@app/db/schemas";
+import { TGatewayServiceFactory } from "@app/ee/services/gateway/gateway-service";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
 import { crypto } from "@app/lib/crypto/cryptography";
 import { BadRequestError, ForbiddenRequestError } from "@app/lib/errors";

 import { TUserDALFactory } from "../user/user-dal";
-import { decryptEnvKeyDataFn, importVaultDataFn, parseEnvKeyDataFn } from "./external-migration-fns";
+import {
+  decryptEnvKeyDataFn,
+  importVaultDataFn,
+  parseEnvKeyDataFn,
+  vaultMigrationTransformMappings
+} from "./external-migration-fns";
 import { TExternalMigrationQueueFactory } from "./external-migration-queue";
-import { ExternalPlatforms, TImportEnvKeyDataDTO, TImportVaultDataDTO } from "./external-migration-types";
+import {
+  ExternalMigrationProviders,
+  ExternalPlatforms,
+  THasCustomVaultMigrationDTO,
+  TImportEnvKeyDataDTO,
+  TImportVaultDataDTO
+} from "./external-migration-types";

 type TExternalMigrationServiceFactoryDep = {
  permissionService: TPermissionServiceFactory;
  externalMigrationQueue: TExternalMigrationQueueFactory;
  userDAL: Pick<TUserDALFactory, "findById">;
+  gatewayService: Pick<TGatewayServiceFactory, "fnGetGatewayClientTlsByGatewayId">;
 };

 export type TExternalMigrationServiceFactory = ReturnType<typeof externalMigrationServiceFactory>;
@@ -19,7 +32,8 @@ export type TExternalMigrationServiceFactory = ReturnType<typeof externalMigrati
 export const externalMigrationServiceFactory = ({
  permissionService,
  externalMigrationQueue,
-  userDAL
+  userDAL,
+  gatewayService
 }: TExternalMigrationServiceFactoryDep) => {
  const importEnvKeyData = async ({
    decryptionKey,
@@ -72,6 +86,7 @@ export const externalMigrationServiceFactory = ({
    vaultNamespace,
    mappingType,
    vaultUrl,
+    gatewayId,
    actor,
    actorId,
    actorOrgId,
@@ -91,12 +106,19 @@ export const externalMigrationServiceFactory = ({

    const user = await userDAL.findById(actorId);

-    const vaultData = await importVaultDataFn({
-      vaultAccessToken,
-      vaultNamespace,
-      vaultUrl,
-      mappingType
-    });
+    const vaultData = await importVaultDataFn(
+      {
+        vaultAccessToken,
+        vaultNamespace,
+        vaultUrl,
+        mappingType,
+        gatewayId,
+        orgId: actorOrgId
+      },
+      {
+        gatewayService
+      }
+    );

    const stringifiedJson = JSON.stringify({
      data: vaultData,
@@ -117,8 +139,37 @@ export const externalMigrationServiceFactory = ({
    });
  };

+  const hasCustomVaultMigration = async ({
+    actor,
+    actorId,
+    actorOrgId,
+    actorAuthMethod,
+    provider
+  }: THasCustomVaultMigrationDTO) => {
+    const { membership } = await permissionService.getOrgPermission(
+      actor,
+      actorId,
+      actorOrgId,
+      actorAuthMethod,
+      actorOrgId
+    );
+
+    if (membership.role !== OrgMembershipRole.Admin) {
+      throw new ForbiddenRequestError({ message: "Only admins can check custom migration status" });
+    }
+
+    if (provider !== ExternalMigrationProviders.Vault) {
+      throw new BadRequestError({
+        message: "Invalid provider. Vault is the only supported provider for custom migrations."
+      });
+    }
+
+    return actorOrgId in vaultMigrationTransformMappings;
+  };
+
  return {
    importEnvKeyData,
-    importVaultData
+    importVaultData,
+    hasCustomVaultMigration
  };
 };
--- a/backend/src/services/external-migration/external-migration-types.ts
+++ b/backend/src/services/external-migration/external-migration-types.ts
@@ -4,7 +4,8 @@ import { ActorAuthMethod, ActorType } from "../auth/auth-type";

 export enum VaultMappingType {
  Namespace = "namespace",
-  KeyVault = "key-vault"
+  KeyVault = "key-vault",
+  Custom = "custom"
 }

 export type InfisicalImportData = {
@@ -26,11 +27,16 @@ export type TImportEnvKeyDataDTO = {
  encryptedJson: { nonce: string; data: string };
 } & Omit<TOrgPermission, "orgId">;

+export type THasCustomVaultMigrationDTO = {
+  provider: ExternalMigrationProviders;
+} & Omit<TOrgPermission, "orgId">;
+
 export type TImportVaultDataDTO = {
  vaultAccessToken: string;
  vaultNamespace?: string;
  mappingType: VaultMappingType;
  vaultUrl: string;
+  gatewayId?: string;
 } & Omit<TOrgPermission, "orgId">;

 export type TImportInfisicalDataCreate = {
@@ -110,3 +116,8 @@ export enum ExternalPlatforms {
  EnvKey = "EnvKey",
  Vault = "Vault"
 }
+
+export enum ExternalMigrationProviders {
+  Vault = "vault",
+  EnvKey = "env-key"
+}
--- a/backend/src/services/identity-ua/identity-ua-service.ts
+++ b/backend/src/services/identity-ua/identity-ua-service.ts
@@ -8,10 +8,18 @@ import {
  validatePrivilegeChangeOperation
 } from "@app/ee/services/permission/permission-fns";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
+import { KeyStorePrefixes, TKeyStoreFactory } from "@app/keystore/keystore";
 import { getConfig } from "@app/lib/config/env";
 import { crypto } from "@app/lib/crypto/cryptography";
-import { BadRequestError, NotFoundError, PermissionBoundaryError, UnauthorizedError } from "@app/lib/errors";
+import {
+  BadRequestError,
+  NotFoundError,
+  PermissionBoundaryError,
+  RateLimitError,
+  UnauthorizedError
+} from "@app/lib/errors";
 import { checkIPAgainstBlocklist, extractIPDetails, isValidIpOrCidr, TIp } from "@app/lib/ip";
+import { logger } from "@app/lib/logger";

 import { ActorType, AuthTokenType } from "../auth/auth-type";
 import { TIdentityOrgDALFactory } from "../identity/identity-org-dal";
@@ -22,6 +30,7 @@ import { TIdentityUaClientSecretDALFactory } from "./identity-ua-client-secret-d
 import { TIdentityUaDALFactory } from "./identity-ua-dal";
 import {
  TAttachUaDTO,
+  TClearUaLockoutsDTO,
  TCreateUaClientSecretDTO,
  TGetUaClientSecretsDTO,
  TGetUaDTO,
@@ -38,30 +47,33 @@ type TIdentityUaServiceFactoryDep = {
  identityOrgMembershipDAL: TIdentityOrgDALFactory;
  permissionService: Pick<TPermissionServiceFactory, "getOrgPermission">;
  licenseService: Pick<TLicenseServiceFactory, "getPlan">;
+  keyStore: Pick<
+    TKeyStoreFactory,
+    "setItemWithExpiry" | "getItem" | "deleteItem" | "getKeysByPattern" | "deleteItems" | "acquireLock"
+  >;
 };

 export type TIdentityUaServiceFactory = ReturnType<typeof identityUaServiceFactory>;

+type LockoutObject = {
+  lockedOut: boolean;
+  failedAttempts: number;
+};
+
 export const identityUaServiceFactory = ({
  identityUaDAL,
  identityUaClientSecretDAL,
  identityAccessTokenDAL,
  identityOrgMembershipDAL,
  permissionService,
-  licenseService
+  licenseService,
+  keyStore
 }: TIdentityUaServiceFactoryDep) => {
  const login = async (clientId: string, clientSecret: string, ip: string) => {
    const identityUa = await identityUaDAL.findOne({ clientId });
    if (!identityUa) {
-      throw new NotFoundError({
-        message: "No identity with specified client ID was found"
-      });
-    }
-
-    const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId: identityUa.identityId });
-    if (!identityMembershipOrg) {
-      throw new NotFoundError({
-        message: "No identity with the org membership was found"
+      throw new UnauthorizedError({
+        message: "Invalid credentials"
      });
    }

@@ -69,119 +81,184 @@ export const identityUaServiceFactory = ({
      ipAddress: ip,
      trustedIps: identityUa.clientSecretTrustedIps as TIp[]
    });
-    const clientSecretPrefix = clientSecret.slice(0, 4);
-    const clientSecrtInfo = await identityUaClientSecretDAL.find({
-      identityUAId: identityUa.id,
-      isClientSecretRevoked: false,
-      clientSecretPrefix
-    });

-    let validClientSecretInfo: (typeof clientSecrtInfo)[0] | null = null;
-    for await (const info of clientSecrtInfo) {
-      const isMatch = await crypto.hashing().compareHash(clientSecret, info.clientSecretHash);
+    const LOCKOUT_KEY = `lockout:identity:${identityUa.identityId}:${IdentityAuthMethod.UNIVERSAL_AUTH}:${clientId}`;

-      if (isMatch) {
-        validClientSecretInfo = info;
-        break;
-      }
+    let lock: Awaited<ReturnType<typeof keyStore.acquireLock>>;
+    try {
+      lock = await keyStore.acquireLock([KeyStorePrefixes.IdentityLockoutLock(LOCKOUT_KEY)], 500, {
+        retryCount: 3,
+        retryDelay: 300,
+        retryJitter: 100
+      });
+    } catch (e) {
+      logger.info(
+        `identity login failed to acquire lock [identityId=${identityUa.identityId}] [authMethod=${IdentityAuthMethod.UNIVERSAL_AUTH}]`
+      );
+      throw new RateLimitError({ message: "Rate limit exceeded" });
    }

-    if (!validClientSecretInfo) throw new UnauthorizedError({ message: "Invalid credentials" });
+    try {
+      const lockoutRaw = await keyStore.getItem(LOCKOUT_KEY);

-    const { clientSecretTTL, clientSecretNumUses, clientSecretNumUsesLimit } = validClientSecretInfo;
-    if (Number(clientSecretTTL) > 0) {
-      const clientSecretCreated = new Date(validClientSecretInfo.createdAt);
-      const ttlInMilliseconds = Number(clientSecretTTL) * 1000;
-      const currentDate = new Date();
-      const expirationTime = new Date(clientSecretCreated.getTime() + ttlInMilliseconds);
+      let lockout: LockoutObject | undefined;
+      if (lockoutRaw) {
+        lockout = JSON.parse(lockoutRaw) as LockoutObject;
+      }

-      if (currentDate > expirationTime) {
+      if (lockout && lockout.lockedOut) {
+        throw new UnauthorizedError({
+          message: "This identity auth method is temporarily locked, please try again later"
+        });
+      }
+
+      const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId: identityUa.identityId });
+      if (!identityMembershipOrg) {
+        throw new UnauthorizedError({
+          message: "Invalid credentials"
+        });
+      }
+
+      const clientSecretPrefix = clientSecret.slice(0, 4);
+      const clientSecretInfo = await identityUaClientSecretDAL.find({
+        identityUAId: identityUa.id,
+        isClientSecretRevoked: false,
+        clientSecretPrefix
+      });
+
+      let validClientSecretInfo: (typeof clientSecretInfo)[0] | null = null;
+      for await (const info of clientSecretInfo) {
+        const isMatch = await crypto.hashing().compareHash(clientSecret, info.clientSecretHash);
+
+        if (isMatch) {
+          validClientSecretInfo = info;
+          break;
+        }
+      }
+
+      if (!validClientSecretInfo) {
+        if (identityUa.lockoutEnabled) {
+          if (!lockout) {
+            lockout = {
+              lockedOut: false,
+              failedAttempts: 0
+            };
+          }
+
+          lockout.failedAttempts += 1;
+          if (lockout.failedAttempts >= identityUa.lockoutThreshold) {
+            lockout.lockedOut = true;
+          }
+
+          await keyStore.setItemWithExpiry(
+            LOCKOUT_KEY,
+            lockout.lockedOut ? identityUa.lockoutDurationSeconds : identityUa.lockoutCounterResetSeconds,
+            JSON.stringify(lockout)
+          );
+        }
+
+        throw new UnauthorizedError({ message: "Invalid credentials" });
+      } else if (lockout) {
+        await keyStore.deleteItem(LOCKOUT_KEY);
+      }
+
+      const { clientSecretTTL, clientSecretNumUses, clientSecretNumUsesLimit } = validClientSecretInfo;
+      if (Number(clientSecretTTL) > 0) {
+        const clientSecretCreated = new Date(validClientSecretInfo.createdAt);
+        const ttlInMilliseconds = Number(clientSecretTTL) * 1000;
+        const currentDate = new Date();
+        const expirationTime = new Date(clientSecretCreated.getTime() + ttlInMilliseconds);
+
+        if (currentDate > expirationTime) {
+          await identityUaClientSecretDAL.updateById(validClientSecretInfo.id, {
+            isClientSecretRevoked: true
+          });
+
+          throw new UnauthorizedError({
+            message: "Access denied due to expired client secret"
+          });
+        }
+      }
+
+      if (clientSecretNumUsesLimit > 0 && clientSecretNumUses >= clientSecretNumUsesLimit) {
+        // number of times client secret can be used for
+        // a login operation reached
        await identityUaClientSecretDAL.updateById(validClientSecretInfo.id, {
          isClientSecretRevoked: true
        });
-
        throw new UnauthorizedError({
-          message: "Access denied due to expired client secret"
+          message: "Access denied due to client secret usage limit reached"
        });
      }
-    }

-    if (clientSecretNumUsesLimit > 0 && clientSecretNumUses === clientSecretNumUsesLimit) {
-      // number of times client secret can be used for
-      // a login operation reached
-      await identityUaClientSecretDAL.updateById(validClientSecretInfo.id, {
-        isClientSecretRevoked: true
+      const accessTokenTTLParams =
+        Number(identityUa.accessTokenPeriod) === 0
+          ? {
+              accessTokenTTL: identityUa.accessTokenTTL,
+              accessTokenMaxTTL: identityUa.accessTokenMaxTTL
+            }
+          : {
+              accessTokenTTL: identityUa.accessTokenPeriod,
+              // We set a very large Max TTL for periodic tokens to ensure that clients (even outdated ones) can always renew their token
+              // without them having to update their SDKs, CLIs, etc. This workaround sets it to 30 years to emulate "forever"
+              accessTokenMaxTTL: 1000000000
+            };
+
+      const identityAccessToken = await identityUaDAL.transaction(async (tx) => {
+        const uaClientSecretDoc = await identityUaClientSecretDAL.incrementUsage(validClientSecretInfo!.id, tx);
+        await identityOrgMembershipDAL.updateById(
+          identityMembershipOrg.id,
+          {
+            lastLoginAuthMethod: IdentityAuthMethod.UNIVERSAL_AUTH,
+            lastLoginTime: new Date()
+          },
+          tx
+        );
+        const newToken = await identityAccessTokenDAL.create(
+          {
+            identityId: identityUa.identityId,
+            isAccessTokenRevoked: false,
+            identityUAClientSecretId: uaClientSecretDoc.id,
+            accessTokenNumUses: 0,
+            accessTokenNumUsesLimit: identityUa.accessTokenNumUsesLimit,
+            accessTokenPeriod: identityUa.accessTokenPeriod,
+            authMethod: IdentityAuthMethod.UNIVERSAL_AUTH,
+            ...accessTokenTTLParams
+          },
+          tx
+        );
+
+        return newToken;
      });
-      throw new UnauthorizedError({
-        message: "Access denied due to client secret usage limit reached"
-      });
-    }

-    const accessTokenTTLParams =
-      Number(identityUa.accessTokenPeriod) === 0
-        ? {
-            accessTokenTTL: identityUa.accessTokenTTL,
-            accessTokenMaxTTL: identityUa.accessTokenMaxTTL
-          }
-        : {
-            accessTokenTTL: identityUa.accessTokenPeriod,
-            // We set a very large Max TTL for periodic tokens to ensure that clients (even outdated ones) can always renew their token
-            // without them having to update their SDKs, CLIs, etc. This workaround sets it to 30 years to emulate "forever"
-            accessTokenMaxTTL: 1000000000
-          };
-
-    const identityAccessToken = await identityUaDAL.transaction(async (tx) => {
-      const uaClientSecretDoc = await identityUaClientSecretDAL.incrementUsage(validClientSecretInfo!.id, tx);
-      await identityOrgMembershipDAL.updateById(
-        identityMembershipOrg.id,
-        {
-          lastLoginAuthMethod: IdentityAuthMethod.UNIVERSAL_AUTH,
-          lastLoginTime: new Date()
-        },
-        tx
-      );
-      const newToken = await identityAccessTokenDAL.create(
+      const appCfg = getConfig();
+      const accessToken = crypto.jwt().sign(
        {
          identityId: identityUa.identityId,
-          isAccessTokenRevoked: false,
-          identityUAClientSecretId: uaClientSecretDoc.id,
-          accessTokenNumUses: 0,
-          accessTokenNumUsesLimit: identityUa.accessTokenNumUsesLimit,
-          accessTokenPeriod: identityUa.accessTokenPeriod,
-          authMethod: IdentityAuthMethod.UNIVERSAL_AUTH,
-          ...accessTokenTTLParams
-        },
-        tx
+          clientSecretId: validClientSecretInfo.id,
+          identityAccessTokenId: identityAccessToken.id,
+          authTokenType: AuthTokenType.IDENTITY_ACCESS_TOKEN
+        } as TIdentityAccessTokenJwtPayload,
+        appCfg.AUTH_SECRET,
+        // akhilmhdh: for non-expiry tokens you should not even set the value, including undefined. Even for undefined jsonwebtoken throws error
+        Number(identityAccessToken.accessTokenTTL) === 0
+          ? undefined
+          : {
+              expiresIn: Number(identityAccessToken.accessTokenTTL)
+            }
      );

-      return newToken;
-    });
-
-    const appCfg = getConfig();
-    const accessToken = crypto.jwt().sign(
-      {
-        identityId: identityUa.identityId,
-        clientSecretId: validClientSecretInfo.id,
-        identityAccessTokenId: identityAccessToken.id,
-        authTokenType: AuthTokenType.IDENTITY_ACCESS_TOKEN
-      } as TIdentityAccessTokenJwtPayload,
-      appCfg.AUTH_SECRET,
-      // akhilmhdh: for non-expiry tokens you should not even set the value, including undefined. Even for undefined jsonwebtoken throws error
-      Number(identityAccessToken.accessTokenTTL) === 0
-        ? undefined
-        : {
-            expiresIn: Number(identityAccessToken.accessTokenTTL)
-          }
-    );
-
-    return {
-      accessToken,
-      identityUa,
-      validClientSecretInfo,
-      identityAccessToken,
-      identityMembershipOrg,
-      ...accessTokenTTLParams
-    };
+      return {
+        accessToken,
+        identityUa,
+        validClientSecretInfo,
+        identityAccessToken,
+        identityMembershipOrg,
+        ...accessTokenTTLParams
+      };
+    } finally {
+      await lock.release();
+    }
  };

  const attachUniversalAuth = async ({
@@ -196,7 +273,11 @@ export const identityUaServiceFactory = ({
    actor,
    actorOrgId,
    isActorSuperAdmin,
-    accessTokenPeriod
+    accessTokenPeriod,
+    lockoutEnabled,
+    lockoutThreshold,
+    lockoutDurationSeconds,
+    lockoutCounterResetSeconds
  }: TAttachUaDTO) => {
    await validateIdentityUpdateForSuperAdminPrivileges(identityId, isActorSuperAdmin);

@@ -266,7 +347,11 @@ export const identityUaServiceFactory = ({
          accessTokenTTL,
          accessTokenNumUsesLimit,
          accessTokenTrustedIps: JSON.stringify(reformattedAccessTokenTrustedIps),
-          accessTokenPeriod
+          accessTokenPeriod,
+          lockoutEnabled,
+          lockoutThreshold,
+          lockoutDurationSeconds,
+          lockoutCounterResetSeconds
        },
        tx
      );
@@ -286,7 +371,11 @@ export const identityUaServiceFactory = ({
    actorId,
    actorAuthMethod,
    actor,
-    actorOrgId
+    actorOrgId,
+    lockoutEnabled,
+    lockoutThreshold,
+    lockoutDurationSeconds,
+    lockoutCounterResetSeconds
  }: TUpdateUaDTO) => {
    const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId });
    if (!identityMembershipOrg) throw new NotFoundError({ message: `Failed to find identity with ID ${identityId}` });
@@ -362,7 +451,11 @@ export const identityUaServiceFactory = ({
      accessTokenPeriod,
      accessTokenTrustedIps: reformattedAccessTokenTrustedIps
        ? JSON.stringify(reformattedAccessTokenTrustedIps)
-        : undefined
+        : undefined,
+      lockoutEnabled,
+      lockoutThreshold,
+      lockoutDurationSeconds,
+      lockoutCounterResetSeconds
    });
    return { ...updatedUaAuth, orgId: identityMembershipOrg.orgId };
  };
@@ -713,6 +806,38 @@ export const identityUaServiceFactory = ({
    return { ...updatedClientSecret, identityId, orgId: identityMembershipOrg.orgId };
  };

+  const clearUniversalAuthLockouts = async ({
+    identityId,
+    actorId,
+    actor,
+    actorOrgId,
+    actorAuthMethod
+  }: TClearUaLockoutsDTO) => {
+    const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId });
+    if (!identityMembershipOrg) throw new NotFoundError({ message: `Failed to find identity with ID ${identityId}` });
+
+    if (!identityMembershipOrg.identity.authMethods.includes(IdentityAuthMethod.UNIVERSAL_AUTH)) {
+      throw new BadRequestError({
+        message: "The identity does not have universal auth"
+      });
+    }
+
+    const { permission } = await permissionService.getOrgPermission(
+      actor,
+      actorId,
+      identityMembershipOrg.orgId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionIdentityActions.Edit, OrgPermissionSubjects.Identity);
+
+    const deleted = await keyStore.deleteItems({
+      pattern: `lockout:identity:${identityId}:${IdentityAuthMethod.UNIVERSAL_AUTH}:*`
+    });
+
+    return { deleted, identityId, orgId: identityMembershipOrg.orgId };
+  };
+
  return {
    login,
    attachUniversalAuth,
@@ -722,6 +847,7 @@ export const identityUaServiceFactory = ({
    createUniversalAuthClientSecret,
    getUniversalAuthClientSecrets,
    revokeUniversalAuthClientSecret,
-    getUniversalAuthClientSecretById
+    getUniversalAuthClientSecretById,
+    clearUniversalAuthLockouts
  };
 };
--- a/backend/src/services/identity-ua/identity-ua-types.ts
+++ b/backend/src/services/identity-ua/identity-ua-types.ts
@@ -9,6 +9,10 @@ export type TAttachUaDTO = {
  clientSecretTrustedIps: { ipAddress: string }[];
  accessTokenTrustedIps: { ipAddress: string }[];
  isActorSuperAdmin?: boolean;
+  lockoutEnabled: boolean;
+  lockoutThreshold: number;
+  lockoutDurationSeconds: number;
+  lockoutCounterResetSeconds: number;
 } & Omit<TProjectPermission, "projectId">;

 export type TUpdateUaDTO = {
@@ -19,6 +23,10 @@ export type TUpdateUaDTO = {
  accessTokenPeriod?: number;
  clientSecretTrustedIps?: { ipAddress: string }[];
  accessTokenTrustedIps?: { ipAddress: string }[];
+  lockoutEnabled?: boolean;
+  lockoutThreshold?: number;
+  lockoutDurationSeconds?: number;
+  lockoutCounterResetSeconds?: number;
 } & Omit<TProjectPermission, "projectId">;

 export type TGetUaDTO = {
@@ -45,6 +53,10 @@ export type TRevokeUaClientSecretDTO = {
  clientSecretId: string;
 } & Omit<TProjectPermission, "projectId">;

+export type TClearUaLockoutsDTO = {
+  identityId: string;
+} & Omit<TProjectPermission, "projectId">;
+
 export type TGetUniversalAuthClientSecretByIdDTO = {
  identityId: string;
  clientSecretId: string;
--- a/backend/src/services/identity/identity-service.ts
+++ b/backend/src/services/identity/identity-service.ts
@@ -8,6 +8,7 @@ import {
  validatePrivilegeChangeOperation
 } from "@app/ee/services/permission/permission-fns";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service-types";
+import { TKeyStoreFactory } from "@app/keystore/keystore";
 import { BadRequestError, NotFoundError, PermissionBoundaryError } from "@app/lib/errors";
 import { TIdentityProjectDALFactory } from "@app/services/identity-project/identity-project-dal";

@@ -32,6 +33,7 @@ type TIdentityServiceFactoryDep = {
  identityProjectDAL: Pick<TIdentityProjectDALFactory, "findByIdentityId">;
  permissionService: Pick<TPermissionServiceFactory, "getOrgPermission" | "getOrgPermissionByRole">;
  licenseService: Pick<TLicenseServiceFactory, "getPlan" | "updateSubscriptionOrgMemberCount">;
+  keyStore: Pick<TKeyStoreFactory, "getKeysByPattern">;
 };

 export type TIdentityServiceFactory = ReturnType<typeof identityServiceFactory>;
@@ -42,7 +44,8 @@ export const identityServiceFactory = ({
  identityOrgMembershipDAL,
  identityProjectDAL,
  permissionService,
-  licenseService
+  licenseService,
+  keyStore
 }: TIdentityServiceFactoryDep) => {
  const createIdentity = async ({
    name,
@@ -255,7 +258,20 @@ export const identityServiceFactory = ({
    );
    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionIdentityActions.Read, OrgPermissionSubjects.Identity);

-    return identity;
+    const activeLockouts = await keyStore.getKeysByPattern(`lockout:identity:${id}:*`);
+
+    const activeLockoutAuthMethods = new Set<string>();
+    activeLockouts.forEach((key) => {
+      const parts = key.split(":");
+      if (parts.length > 3) {
+        activeLockoutAuthMethods.add(parts[3]);
+      }
+    });
+
+    return {
+      ...identity,
+      identity: { ...identity.identity, activeLockoutAuthMethods: Array.from(activeLockoutAuthMethods) }
+    };
  };

  const deleteIdentity = async ({
--- a/backend/src/services/offline-usage-report/offline-usage-report-dal.ts
+++ b/backend/src/services/offline-usage-report/offline-usage-report-dal.ts
@@ -0,0 +1,208 @@
+import { TDbClient } from "@app/db";
+import { ProjectType, TableName } from "@app/db/schemas";
+
+export type TOfflineUsageReportDALFactory = ReturnType<typeof offlineUsageReportDALFactory>;
+
+export const offlineUsageReportDALFactory = (db: TDbClient) => {
+  const getUserMetrics = async () => {
+    // Get total users and admin users
+    const userMetrics = (await db
+      .from(TableName.Users)
+      .select(
+        db.raw(
+          `
+          COUNT(*) as total_users,
+          COUNT(CASE WHEN "superAdmin" = true THEN 1 END) as admin_users
+        `
+        )
+      )
+      .where({ isGhost: false })
+      .first()) as { total_users: string; admin_users: string } | undefined;
+
+    // Get users by auth method
+    const authMethodStats = (await db
+      .from(TableName.Users)
+      .select(
+        db.raw(`
+          unnest("authMethods") as auth_method,
+          COUNT(*) as count
+        `)
+      )
+      .where({ isGhost: false })
+      .whereNotNull("authMethods")
+      .groupBy(db.raw('unnest("authMethods")'))) as Array<{ auth_method: string; count: string }>;
+
+    const usersByAuthMethod = authMethodStats.reduce(
+      (acc: Record<string, number>, row: { auth_method: string; count: string }) => {
+        acc[row.auth_method] = parseInt(row.count, 10);
+        return acc;
+      },
+      {} as Record<string, number>
+    );
+
+    return {
+      totalUsers: parseInt(userMetrics?.total_users || "0", 10),
+      adminUsers: parseInt(userMetrics?.admin_users || "0", 10),
+      usersByAuthMethod
+    };
+  };
+
+  const getMachineIdentityMetrics = async () => {
+    // Get total machine identities
+    const identityMetrics = (await db
+      .from(TableName.Identity)
+      .select(
+        db.raw(
+          `
+          COUNT(*) as total_identities
+        `
+        )
+      )
+      .first()) as { total_identities: string } | undefined;
+
+    // Get identities by auth method
+    const authMethodStats = (await db
+      .from(TableName.Identity)
+      .select("authMethod")
+      .count("* as count")
+      .whereNotNull("authMethod")
+      .groupBy("authMethod")) as Array<{ authMethod: string; count: string }>;
+
+    const machineIdentitiesByAuthMethod = authMethodStats.reduce(
+      (acc: Record<string, number>, row: { authMethod: string; count: string }) => {
+        acc[row.authMethod] = parseInt(row.count, 10);
+        return acc;
+      },
+      {} as Record<string, number>
+    );
+
+    return {
+      totalMachineIdentities: parseInt(identityMetrics?.total_identities || "0", 10),
+      machineIdentitiesByAuthMethod
+    };
+  };
+
+  const getProjectMetrics = async () => {
+    // Get total projects and projects by type
+    const projectMetrics = (await db
+      .from(TableName.Project)
+      .select("type")
+      .count("* as count")
+      .groupBy("type")) as Array<{ type: string; count: string }>;
+
+    const totalProjects = projectMetrics.reduce(
+      (sum, row: { type: string; count: string }) => sum + parseInt(row.count, 10),
+      0
+    );
+    const projectsByType = projectMetrics.reduce(
+      (acc: Record<string, number>, row: { type: string; count: string }) => {
+        acc[row.type] = parseInt(row.count, 10);
+        return acc;
+      },
+      {} as Record<string, number>
+    );
+
+    // Calculate average secrets per project
+    const secretsPerProject = (await db
+      .from(`${TableName.SecretV2} as s`)
+      .select("p.id as projectId")
+      .count("s.id as count")
+      .leftJoin(`${TableName.SecretFolder} as sf`, "s.folderId", "sf.id")
+      .leftJoin(`${TableName.Environment} as e`, "sf.envId", "e.id")
+      .leftJoin(`${TableName.Project} as p`, "e.projectId", "p.id")
+      .where("p.type", ProjectType.SecretManager)
+      .groupBy("p.id")
+      .whereNotNull("p.id")) as Array<{ projectId: string; count: string }>;
+
+    const averageSecretsPerProject =
+      secretsPerProject.length > 0
+        ? secretsPerProject.reduce(
+            (sum, row: { projectId: string; count: string }) => sum + parseInt(row.count, 10),
+            0
+          ) / secretsPerProject.length
+        : 0;
+
+    return {
+      totalProjects,
+      projectsByType,
+      averageSecretsPerProject: Math.round(averageSecretsPerProject * 100) / 100
+    };
+  };
+
+  const getSecretMetrics = async () => {
+    // Get total secrets
+    const totalSecretsResult = (await db.from(TableName.SecretV2).count("* as count").first()) as
+      | { count: string }
+      | undefined;
+
+    const totalSecrets = parseInt(totalSecretsResult?.count || "0", 10);
+
+    // Get secrets by project
+    const secretsByProject = (await db
+      .from(`${TableName.SecretV2} as s`)
+      .select("p.id as projectId", "p.name as projectName")
+      .count("s.id as secretCount")
+      .leftJoin(`${TableName.SecretFolder} as sf`, "s.folderId", "sf.id")
+      .leftJoin(`${TableName.Environment} as e`, "sf.envId", "e.id")
+      .leftJoin(`${TableName.Project} as p`, "e.projectId", "p.id")
+      .where("p.type", ProjectType.SecretManager)
+      .groupBy("p.id", "p.name")
+      .whereNotNull("p.id")) as Array<{ projectId: string; projectName: string; secretCount: string }>;
+
+    return {
+      totalSecrets,
+      secretsByProject: secretsByProject.map(
+        (row: { projectId: string; projectName: string; secretCount: string }) => ({
+          projectId: row.projectId,
+          projectName: row.projectName,
+          secretCount: parseInt(row.secretCount, 10)
+        })
+      )
+    };
+  };
+
+  const getSecretSyncMetrics = async () => {
+    const totalSecretSyncsResult = (await db.from(TableName.SecretSync).count("* as count").first()) as
+      | { count: string }
+      | undefined;
+
+    return {
+      totalSecretSyncs: parseInt(totalSecretSyncsResult?.count || "0", 10)
+    };
+  };
+
+  const getDynamicSecretMetrics = async () => {
+    const totalDynamicSecretsResult = (await db.from(TableName.DynamicSecret).count("* as count").first()) as
+      | { count: string }
+      | undefined;
+
+    return {
+      totalDynamicSecrets: parseInt(totalDynamicSecretsResult?.count || "0", 10)
+    };
+  };
+
+  const getSecretRotationMetrics = async () => {
+    // Check both v1 and v2 secret rotation tables
+    const [v1RotationsResult, v2RotationsResult] = await Promise.all([
+      db.from(TableName.SecretRotation).count("* as count").first() as Promise<{ count: string } | undefined>,
+      db.from(TableName.SecretRotationV2).count("* as count").first() as Promise<{ count: string } | undefined>
+    ]);
+
+    const totalV1Rotations = parseInt(v1RotationsResult?.count || "0", 10);
+    const totalV2Rotations = parseInt(v2RotationsResult?.count || "0", 10);
+
+    return {
+      totalSecretRotations: totalV1Rotations + totalV2Rotations
+    };
+  };
+
+  return {
+    getUserMetrics,
+    getMachineIdentityMetrics,
+    getProjectMetrics,
+    getSecretMetrics,
+    getSecretSyncMetrics,
+    getDynamicSecretMetrics,
+    getSecretRotationMetrics
+  };
+};
--- a/backend/src/services/offline-usage-report/offline-usage-report-service.ts
+++ b/backend/src/services/offline-usage-report/offline-usage-report-service.ts
@@ -0,0 +1,133 @@
+import crypto from "crypto";
+
+import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
+import { getConfig } from "@app/lib/config/env";
+import { BadRequestError } from "@app/lib/errors";
+
+import { TOfflineUsageReportDALFactory } from "./offline-usage-report-dal";
+
+type TOfflineUsageReportServiceFactoryDep = {
+  offlineUsageReportDAL: TOfflineUsageReportDALFactory;
+  licenseService: Pick<TLicenseServiceFactory, "getCustomerId" | "getLicenseId">;
+};
+
+export type TOfflineUsageReportServiceFactory = ReturnType<typeof offlineUsageReportServiceFactory>;
+
+export const offlineUsageReportServiceFactory = ({
+  offlineUsageReportDAL,
+  licenseService
+}: TOfflineUsageReportServiceFactoryDep) => {
+  const signReportContent = (content: string, licenseId: string): string => {
+    const contentHash = crypto.createHash("sha256").update(content).digest("hex");
+    const hmac = crypto.createHmac("sha256", licenseId);
+    hmac.update(contentHash);
+    return hmac.digest("hex");
+  };
+
+  const verifyReportContent = (content: string, signature: string, licenseId: string): boolean => {
+    const expectedSignature = signReportContent(content, licenseId);
+    return signature === expectedSignature;
+  };
+
+  const generateUsageReportCSV = async () => {
+    const cfg = getConfig();
+    if (!cfg.LICENSE_KEY_OFFLINE) {
+      throw new BadRequestError({
+        message: "Offline usage reports are not enabled. LICENSE_KEY_OFFLINE must be configured."
+      });
+    }
+
+    const customerId = licenseService.getCustomerId() as string;
+    const licenseId = licenseService.getLicenseId();
+
+    const [
+      userMetrics,
+      machineIdentityMetrics,
+      projectMetrics,
+      secretMetrics,
+      secretSyncMetrics,
+      dynamicSecretMetrics,
+      secretRotationMetrics
+    ] = await Promise.all([
+      offlineUsageReportDAL.getUserMetrics(),
+      offlineUsageReportDAL.getMachineIdentityMetrics(),
+      offlineUsageReportDAL.getProjectMetrics(),
+      offlineUsageReportDAL.getSecretMetrics(),
+      offlineUsageReportDAL.getSecretSyncMetrics(),
+      offlineUsageReportDAL.getDynamicSecretMetrics(),
+      offlineUsageReportDAL.getSecretRotationMetrics()
+    ]);
+
+    const headers = [
+      "Total Users",
+      "Admin Users",
+      "Total Identities",
+      "Total Projects",
+      "Total Secrets",
+      "Total Secret Syncs",
+      "Total Dynamic Secrets",
+      "Total Secret Rotations",
+      "Avg Secrets Per Project"
+    ];
+
+    const allUserAuthMethods = Object.keys(userMetrics.usersByAuthMethod);
+    allUserAuthMethods.forEach((method) => {
+      headers.push(`Users Auth ${method}`);
+    });
+
+    const allIdentityAuthMethods = Object.keys(machineIdentityMetrics.machineIdentitiesByAuthMethod);
+    allIdentityAuthMethods.forEach((method) => {
+      headers.push(`Identities Auth ${method}`);
+    });
+
+    const allProjectTypes = Object.keys(projectMetrics.projectsByType);
+    allProjectTypes.forEach((type) => {
+      headers.push(`Projects ${type}`);
+    });
+
+    headers.push("Signature");
+
+    const dataRow: (string | number)[] = [
+      userMetrics.totalUsers,
+      userMetrics.adminUsers,
+      machineIdentityMetrics.totalMachineIdentities,
+      projectMetrics.totalProjects,
+      secretMetrics.totalSecrets,
+      secretSyncMetrics.totalSecretSyncs,
+      dynamicSecretMetrics.totalDynamicSecrets,
+      secretRotationMetrics.totalSecretRotations,
+      projectMetrics.averageSecretsPerProject
+    ];
+
+    allUserAuthMethods.forEach((method) => {
+      dataRow.push(userMetrics.usersByAuthMethod[method] || 0);
+    });
+    allIdentityAuthMethods.forEach((method) => {
+      dataRow.push(machineIdentityMetrics.machineIdentitiesByAuthMethod[method] || 0);
+    });
+
+    allProjectTypes.forEach((type) => {
+      dataRow.push(projectMetrics.projectsByType[type] || 0);
+    });
+
+    const headersWithoutSignature = headers.slice(0, -1);
+    const contentWithoutSignature = [headersWithoutSignature.join(","), dataRow.join(",")].join("\n");
+
+    const signature = signReportContent(contentWithoutSignature, licenseId);
+    dataRow.push(signature);
+
+    const csvContent = [headers.join(","), dataRow.join(",")].join("\n");
+
+    return {
+      csvContent,
+      signature,
+      filename: `infisical-usage-report-${customerId}-${new Date().toISOString().split("T")[0]}.csv`
+    };
+  };
+
+  return {
+    generateUsageReportCSV,
+    verifyReportSignature: (csvContent: string, signature: string, licenseId: string) =>
+      verifyReportContent(csvContent, signature, licenseId)
+  };
+};
--- a/backend/src/services/offline-usage-report/offline-usage-report-types.ts
+++ b/backend/src/services/offline-usage-report/offline-usage-report-types.ts
@@ -0,0 +1,42 @@
+export interface TUsageMetrics {
+  // User metrics
+  totalUsers: number;
+  usersByAuthMethod: Record<string, number>;
+  adminUsers: number;
+
+  // Machine identity metrics
+  totalMachineIdentities: number;
+  machineIdentitiesByAuthMethod: Record<string, number>;
+
+  // Project metrics
+  totalProjects: number;
+  projectsByType: Record<string, number>;
+  averageSecretsPerProject: number;
+
+  // Secret metrics
+  totalSecrets: number;
+  totalSecretSyncs: number;
+  totalDynamicSecrets: number;
+  totalSecretRotations: number;
+}
+
+export interface TUsageReportMetadata {
+  generatedAt: string;
+  instanceId: string;
+  reportVersion: string;
+}
+
+export interface TUsageReport {
+  metadata: TUsageReportMetadata;
+  metrics: TUsageMetrics;
+  signature?: string;
+}
+
+export interface TGenerateUsageReportDTO {
+  includeSignature?: boolean;
+}
+
+export interface TVerifyUsageReportDTO {
+  reportData: string;
+  signature: string;
+}
--- a/backend/src/services/org-membership/org-membership-dal.ts
+++ b/backend/src/services/org-membership/org-membership-dal.ts
@@ -153,10 +153,64 @@ export const orgMembershipDALFactory = (db: TDbClient) => {
    }
  };

+  const findOrgMembershipsWithUsersByOrgId = async (orgId: string) => {
+    try {
+      const members = await db
+        .replicaNode()(TableName.OrgMembership)
+        .where(`${TableName.OrgMembership}.orgId`, orgId)
+        .join(TableName.Users, `${TableName.OrgMembership}.userId`, `${TableName.Users}.id`)
+        .leftJoin<TUserEncryptionKeys>(
+          TableName.UserEncryptionKey,
+          `${TableName.UserEncryptionKey}.userId`,
+          `${TableName.Users}.id`
+        )
+        .leftJoin(TableName.IdentityMetadata, (queryBuilder) => {
+          void queryBuilder
+            .on(`${TableName.OrgMembership}.userId`, `${TableName.IdentityMetadata}.userId`)
+            .andOn(`${TableName.OrgMembership}.orgId`, `${TableName.IdentityMetadata}.orgId`);
+        })
+        .select(
+          db.ref("id").withSchema(TableName.OrgMembership),
+          db.ref("inviteEmail").withSchema(TableName.OrgMembership),
+          db.ref("orgId").withSchema(TableName.OrgMembership),
+          db.ref("role").withSchema(TableName.OrgMembership),
+          db.ref("roleId").withSchema(TableName.OrgMembership),
+          db.ref("status").withSchema(TableName.OrgMembership),
+          db.ref("isActive").withSchema(TableName.OrgMembership),
+          db.ref("email").withSchema(TableName.Users),
+          db.ref("username").withSchema(TableName.Users),
+          db.ref("firstName").withSchema(TableName.Users),
+          db.ref("lastName").withSchema(TableName.Users),
+          db.ref("isEmailVerified").withSchema(TableName.Users),
+          db.ref("id").withSchema(TableName.Users).as("userId")
+        )
+        .where({ isGhost: false });
+
+      return members.map((member) => ({
+        id: member.id,
+        orgId: member.orgId,
+        role: member.role,
+        status: member.status,
+        isActive: member.isActive,
+        inviteEmail: member.inviteEmail,
+        user: {
+          id: member.userId,
+          email: member.email,
+          username: member.username,
+          firstName: member.firstName,
+          lastName: member.lastName
+        }
+      }));
+    } catch (error) {
+      throw new DatabaseError({ error, name: "Find org memberships with users by org id" });
+    }
+  };
+
  return {
    ...orgMembershipOrm,
    findOrgMembershipById,
    findRecentInvitedMemberships,
-    updateLastInvitedAtByIds
+    updateLastInvitedAtByIds,
+    findOrgMembershipsWithUsersByOrgId
  };
 };
--- a/backend/src/services/org/org-dal.ts
+++ b/backend/src/services/org/org-dal.ts
@@ -83,6 +83,7 @@ export const orgDALFactory = (db: TDbClient) => {
        .select(db.ref("id").withSchema(TableName.OrgMembership).as("orgMembershipId"))
        .select(db.ref("role").withSchema(TableName.OrgMembership).as("orgMembershipRole"))
        .select(db.ref("roleId").withSchema(TableName.OrgMembership).as("orgMembershipRoleId"))
+        .select(db.ref("status").withSchema(TableName.OrgMembership).as("orgMembershipStatus"))
        .select(db.ref("name").withSchema(TableName.OrgRoles).as("orgMembershipRoleName"));

      const formattedDocs = sqlNestRelationships({
@@ -112,7 +113,8 @@ export const orgDALFactory = (db: TDbClient) => {
              orgMembershipId,
              orgMembershipRole,
              orgMembershipRoleName,
-              orgMembershipRoleId
+              orgMembershipRoleId,
+              orgMembershipStatus
            }) => ({
              user: {
                id: userId,
@@ -121,6 +123,7 @@ export const orgDALFactory = (db: TDbClient) => {
                firstName,
                lastName
              },
+              status: orgMembershipStatus,
              membershipId: orgMembershipId,
              role: orgMembershipRoleName || orgMembershipRole, // custom role name or pre-defined role name
              roleId: orgMembershipRoleId
@@ -488,6 +491,15 @@ export const orgDALFactory = (db: TDbClient) => {
    }
  };

+  const bulkCreateMemberships = async (data: TOrgMembershipsInsert[], tx?: Knex) => {
+    try {
+      const memberships = await (tx || db)(TableName.OrgMembership).insert(data).returning("*");
+      return memberships;
+    } catch (error) {
+      throw new DatabaseError({ error, name: "Create org memberships" });
+    }
+  };
+
  const updateMembershipById = async (id: string, data: TOrgMembershipsUpdate, tx?: Knex) => {
    try {
      const [membership] = await (tx || db)(TableName.OrgMembership).where({ id }).update(data).returning("*");
@@ -668,6 +680,7 @@ export const orgDALFactory = (db: TDbClient) => {
    findMembership,
    findMembershipWithScimFilter,
    createMembership,
+    bulkCreateMemberships,
    updateMembershipById,
    deleteMembershipById,
    deleteMembershipsById,
--- a/backend/src/services/org/org-service.ts
+++ b/backend/src/services/org/org-service.ts
@@ -528,15 +528,18 @@ export const orgServiceFactory = ({
  /*
   * Create organization
   * */
-  const createOrganization = async ({
-    userId,
-    userEmail,
-    orgName
-  }: {
-    userId: string;
-    orgName: string;
-    userEmail?: string | null;
-  }) => {
+  const createOrganization = async (
+    {
+      userId,
+      userEmail,
+      orgName
+    }: {
+      userId?: string;
+      orgName: string;
+      userEmail?: string | null;
+    },
+    trx?: Knex
+  ) => {
    const { privateKey, publicKey } = await crypto.encryption().asymmetric().generateKeyPair();
    const key = crypto.randomBytes(32).toString("base64");
    const {
@@ -555,22 +558,25 @@ export const orgServiceFactory = ({
    } = crypto.encryption().symmetric().encryptWithRootEncryptionKey(key);

    const customerId = await licenseService.generateOrgCustomerId(orgName, userEmail);
-    const organization = await orgDAL.transaction(async (tx) => {
+
+    const createOrg = async (tx: Knex) => {
      // akhilmhdh: for now this is auto created. in future we can input from user and for previous users just modifiy
      const org = await orgDAL.create(
        { name: orgName, customerId, slug: slugify(`${orgName}-${alphaNumericNanoId(4)}`) },
        tx
      );
-      await orgDAL.createMembership(
-        {
-          userId,
-          orgId: org.id,
-          role: OrgMembershipRole.Admin,
-          status: OrgMembershipStatus.Accepted,
-          isActive: true
-        },
-        tx
-      );
+      if (userId) {
+        await orgDAL.createMembership(
+          {
+            userId,
+            orgId: org.id,
+            role: OrgMembershipRole.Admin,
+            status: OrgMembershipStatus.Accepted,
+            isActive: true
+          },
+          tx
+        );
+      }
      await orgBotDAL.create(
        {
          name: org.name,
@@ -590,7 +596,9 @@ export const orgServiceFactory = ({
        tx
      );
      return org;
-    });
+    };
+
+    const organization = await (trx ? createOrg(trx) : orgDAL.transaction(createOrg));

    await licenseService.updateSubscriptionOrgMemberCount(organization.id);
    return organization;
--- a/backend/src/services/pki-subscriber/pki-subscriber-schema.ts
+++ b/backend/src/services/pki-subscriber/pki-subscriber-schema.ts
@@ -18,7 +18,8 @@ export const sanitizedPkiSubscriber = PkiSubscribersSchema.pick({
  lastOperationAt: true,
  enableAutoRenewal: true,
  autoRenewalPeriodInDays: true,
-  lastAutoRenewAt: true
+  lastAutoRenewAt: true,
+  properties: true
 }).extend({
  supportsImmediateCertIssuance: z.boolean().optional()
 });
--- a/backend/src/services/pki-subscriber/pki-subscriber-service.ts
+++ b/backend/src/services/pki-subscriber/pki-subscriber-service.ts
@@ -109,6 +109,7 @@ export const pkiSubscriberServiceFactory = ({
    extendedKeyUsages,
    enableAutoRenewal,
    autoRenewalPeriodInDays,
+    properties,
    projectId,
    actorId,
    actorAuthMethod,
@@ -157,7 +158,8 @@ export const pkiSubscriberServiceFactory = ({
      keyUsages,
      extendedKeyUsages,
      enableAutoRenewal,
-      autoRenewalPeriodInDays
+      autoRenewalPeriodInDays,
+      properties
    });

    return newSubscriber;
@@ -221,6 +223,7 @@ export const pkiSubscriberServiceFactory = ({
    extendedKeyUsages,
    enableAutoRenewal,
    autoRenewalPeriodInDays,
+    properties,
    actorId,
    actorAuthMethod,
    actor,
@@ -275,7 +278,8 @@ export const pkiSubscriberServiceFactory = ({
      keyUsages,
      extendedKeyUsages,
      enableAutoRenewal,
-      autoRenewalPeriodInDays
+      autoRenewalPeriodInDays,
+      properties
    });

    return updatedSubscriber;
@@ -360,7 +364,7 @@ export const pkiSubscriberServiceFactory = ({
      throw new BadRequestError({ message: "CA is disabled" });
    }

-    if (ca.externalCa?.id && ca.externalCa.type === CaType.ACME) {
+    if (ca.externalCa?.id && (ca.externalCa.type === CaType.ACME || ca.externalCa.type === CaType.AZURE_AD_CS)) {
      await certificateAuthorityQueue.orderCertificateForSubscriber({
        subscriberId: subscriber.id,
        caType: ca.externalCa.type
--- a/backend/src/services/pki-subscriber/pki-subscriber-types.ts
+++ b/backend/src/services/pki-subscriber/pki-subscriber-types.ts
@@ -18,6 +18,7 @@ export type TCreatePkiSubscriberDTO = {
  extendedKeyUsages: CertExtendedKeyUsage[];
  enableAutoRenewal?: boolean;
  autoRenewalPeriodInDays?: number;
+  properties?: TPkiSubscriberProperties;
 } & TProjectPermission;

 export type TGetPkiSubscriberDTO = {
@@ -36,6 +37,7 @@ export type TUpdatePkiSubscriberDTO = {
  extendedKeyUsages?: CertExtendedKeyUsage[];
  enableAutoRenewal?: boolean;
  autoRenewalPeriodInDays?: number;
+  properties?: TPkiSubscriberProperties;
 } & TProjectPermission;

 export type TDeletePkiSubscriberDTO = {
@@ -69,3 +71,13 @@ export enum SubscriberOperationStatus {
  SUCCESS = "success",
  FAILED = "failed"
 }
+
+export type TPkiSubscriberProperties = {
+  azureTemplateType?: string;
+  organization?: string;
+  organizationalUnit?: string;
+  country?: string;
+  state?: string;
+  locality?: string;
+  emailAddress?: string;
+};
--- a/backend/src/services/secret-folder/secret-folder-service.ts
+++ b/backend/src/services/secret-folder/secret-folder-service.ts
@@ -30,6 +30,7 @@ import {
  TDeleteFolderDTO,
  TDeleteManyFoldersDTO,
  TGetFolderByIdDTO,
+  TGetFolderByPathDTO,
  TGetFolderDTO,
  TGetFoldersDeepByEnvsDTO,
  TUpdateFolderDTO,
@@ -1398,6 +1399,31 @@ export const secretFolderServiceFactory = ({
    };
  };

+  const getFolderByPath = async (
+    { projectId, environment, secretPath }: TGetFolderByPathDTO,
+    actor: OrgServiceActor
+  ) => {
+    // folder check is allowed to be read by anyone
+    // permission is to check if user has access
+    await permissionService.getProjectPermission({
+      actor: actor.type,
+      actorId: actor.id,
+      projectId,
+      actorAuthMethod: actor.authMethod,
+      actorOrgId: actor.orgId,
+      actionProjectType: ActionProjectType.SecretManager
+    });
+
+    const folder = await folderDAL.findBySecretPath(projectId, environment, secretPath);
+
+    if (!folder)
+      throw new NotFoundError({
+        message: `Could not find folder with path "${secretPath}" in environment "${environment}" for project with ID "${projectId}"`
+      });
+
+    return folder;
+  };
+
  return {
    createFolder,
    updateFolder,
@@ -1405,6 +1431,7 @@ export const secretFolderServiceFactory = ({
    deleteFolder,
    getFolders,
    getFolderById,
+    getFolderByPath,
    getProjectFolderCount,
    getFoldersMultiEnv,
    getFoldersDeepByEnvs,
--- a/backend/src/services/secret-folder/secret-folder-types.ts
+++ b/backend/src/services/secret-folder/secret-folder-types.ts
@@ -91,3 +91,9 @@ export type TDeleteManyFoldersDTO = {
    idOrName: string;
  }>;
 };
+
+export type TGetFolderByPathDTO = {
+  projectId: string;
+  environment: string;
+  secretPath: string;
+};
--- a/backend/src/services/secret-sync/hc-vault/hc-vault-sync-fns.ts
+++ b/backend/src/services/secret-sync/hc-vault/hc-vault-sync-fns.ts
@@ -1,9 +1,13 @@
 import { isAxiosError } from "axios";

-import { request } from "@app/lib/config/request";
+import { TGatewayServiceFactory } from "@app/ee/services/gateway/gateway-service";
 import { removeTrailingSlash } from "@app/lib/fn";
-import { blockLocalAndPrivateIpAddresses } from "@app/lib/validator";
-import { getHCVaultAccessToken, getHCVaultInstanceUrl } from "@app/services/app-connection/hc-vault";
+import {
+  getHCVaultAccessToken,
+  getHCVaultInstanceUrl,
+  requestWithHCVaultGateway,
+  THCVaultConnection
+} from "@app/services/app-connection/hc-vault";
 import {
  THCVaultListVariables,
  THCVaultListVariablesResponse,
@@ -14,19 +18,20 @@ import { SecretSyncError } from "@app/services/secret-sync/secret-sync-errors";
 import { matchesSchema } from "@app/services/secret-sync/secret-sync-fns";
 import { TSecretMap } from "@app/services/secret-sync/secret-sync-types";

-const listHCVaultVariables = async ({ instanceUrl, namespace, mount, accessToken, path }: THCVaultListVariables) => {
-  await blockLocalAndPrivateIpAddresses(instanceUrl);
-
+const listHCVaultVariables = async (
+  { instanceUrl, namespace, mount, accessToken, path }: THCVaultListVariables,
+  connection: THCVaultConnection,
+  gatewayService: Pick<TGatewayServiceFactory, "fnGetGatewayClientTlsByGatewayId">
+) => {
  try {
-    const { data } = await request.get<THCVaultListVariablesResponse>(
-      `${instanceUrl}/v1/${removeTrailingSlash(mount)}/data/${path}`,
-      {
-        headers: {
-          "X-Vault-Token": accessToken,
-          ...(namespace ? { "X-Vault-Namespace": namespace } : {})
-        }
+    const { data } = await requestWithHCVaultGateway<THCVaultListVariablesResponse>(connection, gatewayService, {
+      url: `${instanceUrl}/v1/${removeTrailingSlash(mount)}/data/${path}`,
+      method: "GET",
+      headers: {
+        "X-Vault-Token": accessToken,
+        ...(namespace ? { "X-Vault-Namespace": namespace } : {})
      }
-    );
+    });

    return data.data.data;
  } catch (error: unknown) {
@@ -39,33 +44,29 @@ const listHCVaultVariables = async ({ instanceUrl, namespace, mount, accessToken
 };

 // Hashicorp Vault updates all variables in one batch. This is to respect their versioning
-const updateHCVaultVariables = async ({
-  path,
-  instanceUrl,
-  namespace,
-  accessToken,
-  mount,
-  data
-}: TPostHCVaultVariable) => {
-  await blockLocalAndPrivateIpAddresses(instanceUrl);
-
-  return request.post(
-    `${instanceUrl}/v1/${removeTrailingSlash(mount)}/data/${path}`,
-    {
-      data
+const updateHCVaultVariables = async (
+  { path, instanceUrl, namespace, accessToken, mount, data }: TPostHCVaultVariable,
+  connection: THCVaultConnection,
+  gatewayService: Pick<TGatewayServiceFactory, "fnGetGatewayClientTlsByGatewayId">
+) => {
+  return requestWithHCVaultGateway(connection, gatewayService, {
+    url: `${instanceUrl}/v1/${removeTrailingSlash(mount)}/data/${path}`,
+    method: "POST",
+    headers: {
+      "X-Vault-Token": accessToken,
+      ...(namespace ? { "X-Vault-Namespace": namespace } : {}),
+      "Content-Type": "application/json"
    },
-    {
-      headers: {
-        "X-Vault-Token": accessToken,
-        ...(namespace ? { "X-Vault-Namespace": namespace } : {}),
-        "Content-Type": "application/json"
-      }
-    }
-  );
+    data: { data }
+  });
 };

 export const HCVaultSyncFns = {
-  syncSecrets: async (secretSync: THCVaultSyncWithCredentials, secretMap: TSecretMap) => {
+  syncSecrets: async (
+    secretSync: THCVaultSyncWithCredentials,
+    secretMap: TSecretMap,
+    gatewayService: Pick<TGatewayServiceFactory, "fnGetGatewayClientTlsByGatewayId">
+  ) => {
    const {
      connection,
      environment,
@@ -74,16 +75,20 @@ export const HCVaultSyncFns = {
    } = secretSync;

    const { namespace } = connection.credentials;
-    const accessToken = await getHCVaultAccessToken(connection);
+    const accessToken = await getHCVaultAccessToken(connection, gatewayService);
    const instanceUrl = await getHCVaultInstanceUrl(connection);

-    const variables = await listHCVaultVariables({
-      instanceUrl,
-      accessToken,
-      namespace,
-      mount,
-      path
-    });
+    const variables = await listHCVaultVariables(
+      {
+        instanceUrl,
+        accessToken,
+        namespace,
+        mount,
+        path
+      },
+      connection,
+      gatewayService
+    );
    let tainted = false;

    for (const entry of Object.entries(secretMap)) {
@@ -110,24 +115,36 @@ export const HCVaultSyncFns = {
    if (!tainted) return;

    try {
-      await updateHCVaultVariables({ accessToken, instanceUrl, namespace, mount, path, data: variables });
+      await updateHCVaultVariables(
+        { accessToken, instanceUrl, namespace, mount, path, data: variables },
+        connection,
+        gatewayService
+      );
    } catch (error) {
      throw new SecretSyncError({
        error
      });
    }
  },
-  removeSecrets: async (secretSync: THCVaultSyncWithCredentials, secretMap: TSecretMap) => {
+  removeSecrets: async (
+    secretSync: THCVaultSyncWithCredentials,
+    secretMap: TSecretMap,
+    gatewayService: Pick<TGatewayServiceFactory, "fnGetGatewayClientTlsByGatewayId">
+  ) => {
    const {
      connection,
      destinationConfig: { mount, path }
    } = secretSync;

    const { namespace } = connection.credentials;
-    const accessToken = await getHCVaultAccessToken(connection);
+    const accessToken = await getHCVaultAccessToken(connection, gatewayService);
    const instanceUrl = await getHCVaultInstanceUrl(connection);

-    const variables = await listHCVaultVariables({ instanceUrl, namespace, accessToken, mount, path });
+    const variables = await listHCVaultVariables(
+      { instanceUrl, namespace, accessToken, mount, path },
+      connection,
+      gatewayService
+    );

    for await (const [key] of Object.entries(variables)) {
      if (key in secretMap) {
@@ -136,30 +153,41 @@ export const HCVaultSyncFns = {
    }

    try {
-      await updateHCVaultVariables({ accessToken, instanceUrl, namespace, mount, path, data: variables });
+      await updateHCVaultVariables(
+        { accessToken, instanceUrl, namespace, mount, path, data: variables },
+        connection,
+        gatewayService
+      );
    } catch (error) {
      throw new SecretSyncError({
        error
      });
    }
  },
-  getSecrets: async (secretSync: THCVaultSyncWithCredentials) => {
+  getSecrets: async (
+    secretSync: THCVaultSyncWithCredentials,
+    gatewayService: Pick<TGatewayServiceFactory, "fnGetGatewayClientTlsByGatewayId">
+  ) => {
    const {
      connection,
      destinationConfig: { mount, path }
    } = secretSync;

    const { namespace } = connection.credentials;
-    const accessToken = await getHCVaultAccessToken(connection);
+    const accessToken = await getHCVaultAccessToken(connection, gatewayService);
    const instanceUrl = await getHCVaultInstanceUrl(connection);

-    const variables = await listHCVaultVariables({
-      instanceUrl,
-      namespace,
-      accessToken,
-      mount,
-      path
-    });
+    const variables = await listHCVaultVariables(
+      {
+        instanceUrl,
+        namespace,
+        accessToken,
+        mount,
+        path
+      },
+      connection,
+      gatewayService
+    );

    return Object.fromEntries(Object.entries(variables).map(([key, value]) => [key, { value }]));
  }
--- a/backend/src/services/secret-sync/secret-sync-fns.ts
+++ b/backend/src/services/secret-sync/secret-sync-fns.ts
@@ -244,7 +244,7 @@ export const SecretSyncFns = {
      case SecretSync.Windmill:
        return WindmillSyncFns.syncSecrets(secretSync, schemaSecretMap);
      case SecretSync.HCVault:
-        return HCVaultSyncFns.syncSecrets(secretSync, schemaSecretMap);
+        return HCVaultSyncFns.syncSecrets(secretSync, schemaSecretMap, gatewayService);
      case SecretSync.TeamCity:
        return TeamCitySyncFns.syncSecrets(secretSync, schemaSecretMap);
      case SecretSync.OCIVault:
@@ -283,7 +283,7 @@ export const SecretSyncFns = {
  },
  getSecrets: async (
    secretSync: TSecretSyncWithCredentials,
-    { kmsService, appConnectionDAL }: TSyncSecretDeps
+    { kmsService, appConnectionDAL, gatewayService }: TSyncSecretDeps
  ): Promise<TSecretMap> => {
    let secretMap: TSecretMap;
    switch (secretSync.destination) {
@@ -341,7 +341,7 @@ export const SecretSyncFns = {
        secretMap = await WindmillSyncFns.getSecrets(secretSync);
        break;
      case SecretSync.HCVault:
-        secretMap = await HCVaultSyncFns.getSecrets(secretSync);
+        secretMap = await HCVaultSyncFns.getSecrets(secretSync, gatewayService);
        break;
      case SecretSync.TeamCity:
        secretMap = await TeamCitySyncFns.getSecrets(secretSync);
@@ -451,7 +451,7 @@ export const SecretSyncFns = {
      case SecretSync.Windmill:
        return WindmillSyncFns.removeSecrets(secretSync, schemaSecretMap);
      case SecretSync.HCVault:
-        return HCVaultSyncFns.removeSecrets(secretSync, schemaSecretMap);
+        return HCVaultSyncFns.removeSecrets(secretSync, schemaSecretMap, gatewayService);
      case SecretSync.TeamCity:
        return TeamCitySyncFns.removeSecrets(secretSync, schemaSecretMap);
      case SecretSync.OCIVault:
--- a/backend/src/services/smtp/emails/OrganizationAssignmentTemplate.tsx
+++ b/backend/src/services/smtp/emails/OrganizationAssignmentTemplate.tsx
@@ -0,0 +1,69 @@
+import { Heading, Section, Text } from "@react-email/components";
+import React from "react";
+
+import { BaseButton } from "./BaseButton";
+import { BaseEmailWrapper, BaseEmailWrapperProps } from "./BaseEmailWrapper";
+import { BaseLink } from "./BaseLink";
+
+interface OrganizationAssignmentTemplateProps extends Omit<BaseEmailWrapperProps, "preview" | "title"> {
+  inviterFirstName?: string;
+  inviterUsername?: string;
+  organizationName: string;
+  callback_url: string;
+}
+
+export const OrganizationAssignmentTemplate = ({
+  organizationName,
+  inviterFirstName,
+  inviterUsername,
+  callback_url,
+  siteUrl
+}: OrganizationAssignmentTemplateProps) => {
+  return (
+    <BaseEmailWrapper
+      title="New Organization"
+      preview="You've been added to a new organization on Infisical."
+      siteUrl={siteUrl}
+    >
+      <Heading className="text-black text-[18px] leading-[28px] text-center font-normal p-0 mx-0">
+        You've been added to the organization
+        <br />
+        <strong>{organizationName}</strong> on <strong>Infisical</strong>
+      </Heading>
+      <Section className="px-[24px] mb-[28px] mt-[36px] pt-[12px] pb-[8px] border text-center border-solid border-gray-200 rounded-md bg-gray-50">
+        <Text className="text-black text-[14px] leading-[24px]">
+          {inviterFirstName && inviterUsername ? (
+            <>
+              <strong>{inviterFirstName}</strong> (
+              <BaseLink href={`mailto:${inviterUsername}`}>{inviterUsername}</BaseLink>) has added you as an
+              organization admin to <strong>{organizationName}</strong>.
+            </>
+          ) : (
+            <>
+              An instance admin has added you as an organization admin to <strong>{organizationName}</strong>.
+            </>
+          )}
+        </Text>
+      </Section>
+      <Section className="text-center">
+        <BaseButton href={callback_url}>View Dashboard</BaseButton>
+      </Section>
+      <Section className="mt-[24px] bg-gray-50 pt-[2px] pb-[16px] border border-solid border-gray-200 px-[24px] rounded-md text-gray-800">
+        <Text className="mb-[0px]">
+          <strong>About Infisical:</strong> Infisical is an all-in-one platform to securely manage application secrets,
+          certificates, SSH keys, and configurations across your team and infrastructure.
+        </Text>
+      </Section>
+    </BaseEmailWrapper>
+  );
+};
+
+export default OrganizationAssignmentTemplate;
+
+OrganizationAssignmentTemplate.PreviewProps = {
+  organizationName: "Example Organization",
+  inviterFirstName: "Jane",
+  inviterUsername: "jane@infisical.com",
+  siteUrl: "https://infisical.com",
+  callback_url: "https://app.infisical.com"
+} as OrganizationAssignmentTemplateProps;
--- a/backend/src/services/smtp/emails/index.ts
+++ b/backend/src/services/smtp/emails/index.ts
@@ -9,6 +9,7 @@ export * from "./IntegrationSyncFailedTemplate";
 export * from "./NewDeviceLoginTemplate";
 export * from "./OrgAdminBreakglassAccessTemplate";
 export * from "./OrgAdminProjectGrantAccessTemplate";
+export * from "./OrganizationAssignmentTemplate";
 export * from "./OrganizationInvitationTemplate";
 export * from "./PasswordResetTemplate";
 export * from "./PasswordSetupTemplate";
--- a/backend/src/services/smtp/smtp-service.ts
+++ b/backend/src/services/smtp/smtp-service.ts
@@ -18,6 +18,7 @@ import {
  NewDeviceLoginTemplate,
  OrgAdminBreakglassAccessTemplate,
  OrgAdminProjectGrantAccessTemplate,
+  OrganizationAssignmentTemplate,
  OrganizationInvitationTemplate,
  PasswordResetTemplate,
  PasswordSetupTemplate,
@@ -61,6 +62,7 @@ export enum SmtpTemplates {
  // HistoricalSecretList = "historicalSecretLeakIncident", not used anymore?
  NewDeviceJoin = "newDevice",
  OrgInvite = "organizationInvitation",
+  OrgAssignment = "organizationAssignment",
  ResetPassword = "passwordReset",
  SetupPassword = "passwordSetup",
  SecretLeakIncident = "secretLeakIncident",
@@ -94,6 +96,7 @@ export enum SmtpHost {
 // eslint-disable-next-line @typescript-eslint/no-explicit-any
 const EmailTemplateMap: Record<SmtpTemplates, React.FC<any>> = {
  [SmtpTemplates.OrgInvite]: OrganizationInvitationTemplate,
+  [SmtpTemplates.OrgAssignment]: OrganizationAssignmentTemplate,
  [SmtpTemplates.NewDeviceJoin]: NewDeviceLoginTemplate,
  [SmtpTemplates.SignupEmailVerification]: SignupEmailVerificationTemplate,
  [SmtpTemplates.EmailMfa]: EmailMfaTemplate,
--- a/backend/src/services/super-admin/super-admin-service.ts
+++ b/backend/src/services/super-admin/super-admin-service.ts
@@ -1,6 +1,13 @@
 import { CronJob } from "cron";

-import { IdentityAuthMethod, OrgMembershipRole, TSuperAdmin, TSuperAdminUpdate } from "@app/db/schemas";
+import {
+  IdentityAuthMethod,
+  OrgMembershipRole,
+  OrgMembershipStatus,
+  TSuperAdmin,
+  TSuperAdminUpdate,
+  TUsers
+} from "@app/db/schemas";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import { PgSqlLock, TKeyStoreFactory } from "@app/keystore/keystore";
 import {
@@ -13,7 +20,12 @@ import {
 import { crypto } from "@app/lib/crypto/cryptography";
 import { BadRequestError, NotFoundError } from "@app/lib/errors";
 import { logger } from "@app/lib/logger";
+import { OrgServiceActor } from "@app/lib/types";
+import { isDisposableEmail } from "@app/lib/validator";
+import { TAuthTokenServiceFactory } from "@app/services/auth-token/auth-token-service";
+import { TokenType } from "@app/services/auth-token/auth-token-types";
 import { TIdentityDALFactory } from "@app/services/identity/identity-dal";
+import { SmtpTemplates, TSmtpService } from "@app/services/smtp/smtp-service";

 import { TAuthLoginFactory } from "../auth/auth-login-service";
 import { ActorType, AuthMethod, AuthTokenType } from "../auth/auth-type";
@@ -43,7 +55,9 @@ import {
  TAdminGetUsersDTO,
  TAdminIntegrationConfig,
  TAdminSignUpDTO,
-  TGetOrganizationsDTO
+  TCreateOrganizationDTO,
+  TGetOrganizationsDTO,
+  TResendOrgInviteDTO
 } from "./super-admin-types";

 type TSuperAdminServiceFactoryDep = {
@@ -59,11 +73,13 @@ type TSuperAdminServiceFactoryDep = {
  authService: Pick<TAuthLoginFactory, "generateUserTokens">;
  kmsService: Pick<TKmsServiceFactory, "encryptWithRootKey" | "decryptWithRootKey" | "updateEncryptionStrategy">;
  kmsRootConfigDAL: TKmsRootConfigDALFactory;
-  orgService: Pick<TOrgServiceFactory, "createOrganization">;
+  orgService: Pick<TOrgServiceFactory, "createOrganization" | "inviteUserToOrganization">;
  keyStore: Pick<TKeyStoreFactory, "getItem" | "setItemWithExpiry" | "deleteItem" | "deleteItems">;
-  licenseService: Pick<TLicenseServiceFactory, "onPremFeatures">;
+  licenseService: Pick<TLicenseServiceFactory, "onPremFeatures" | "updateSubscriptionOrgMemberCount">;
  microsoftTeamsService: Pick<TMicrosoftTeamsServiceFactory, "initializeTeamsBot">;
  invalidateCacheQueue: TInvalidateCacheQueueFactory;
+  smtpService: Pick<TSmtpService, "sendMail">;
+  tokenService: TAuthTokenServiceFactory;
 };

 export type TSuperAdminServiceFactory = ReturnType<typeof superAdminServiceFactory>;
@@ -123,7 +139,9 @@ export const superAdminServiceFactory = ({
  identityTokenAuthDAL,
  identityOrgMembershipDAL,
  microsoftTeamsService,
-  invalidateCacheQueue
+  invalidateCacheQueue,
+  smtpService,
+  tokenService
 }: TSuperAdminServiceFactoryDep) => {
  const initServerCfg = async () => {
    // TODO(akhilmhdh): bad  pattern time less change this later to me itself
@@ -732,6 +750,159 @@ export const superAdminServiceFactory = ({
    return organizations;
  };

+  const createOrganization = async (
+    { name, inviteAdminEmails: emails }: TCreateOrganizationDTO,
+    actor: OrgServiceActor
+  ) => {
+    const appCfg = getConfig();
+
+    const inviteAdminEmails = [...new Set(emails)];
+
+    if (!appCfg.isDevelopmentMode && appCfg.isCloud)
+      throw new BadRequestError({ message: "This endpoint is not supported for cloud instances" });
+
+    const serverAdmin = await userDAL.findById(actor.id);
+    const plan = licenseService.onPremFeatures;
+
+    const isEmailInvalid = await isDisposableEmail(inviteAdminEmails);
+    if (isEmailInvalid) {
+      throw new BadRequestError({
+        message: "Disposable emails are not allowed",
+        name: "InviteUser"
+      });
+    }
+
+    const { organization, users: usersToEmail } = await orgDAL.transaction(async (tx) => {
+      const org = await orgService.createOrganization(
+        {
+          orgName: name,
+          userEmail: serverAdmin?.email ?? serverAdmin?.username // identities can be server admins so we can't require this
+        },
+        tx
+      );
+
+      const users: Pick<TUsers, "id" | "firstName" | "lastName" | "email" | "username" | "isAccepted">[] = [];
+
+      for await (const inviteeEmail of inviteAdminEmails) {
+        const usersByUsername = await userDAL.findUserByUsername(inviteeEmail, tx);
+        let inviteeUser =
+          usersByUsername?.length > 1
+            ? usersByUsername.find((el) => el.username === inviteeEmail)
+            : usersByUsername?.[0];
+
+        // if the user doesn't exist we create the user with the email
+        if (!inviteeUser) {
+          // TODO(carlos): will be removed once the function receives usernames instead of emails
+          const usersByEmail = await userDAL.findUserByEmail(inviteeEmail, tx);
+          if (usersByEmail?.length === 1) {
+            [inviteeUser] = usersByEmail;
+          } else {
+            inviteeUser = await userDAL.create(
+              {
+                isAccepted: false,
+                email: inviteeEmail,
+                username: inviteeEmail,
+                authMethods: [AuthMethod.EMAIL],
+                isGhost: false
+              },
+              tx
+            );
+          }
+        }
+
+        const inviteeUserId = inviteeUser?.id;
+        const existingEncryptionKey = await userDAL.findUserEncKeyByUserId(inviteeUserId, tx);
+
+        // when user is missing the encrytion keys
+        // this could happen either if user doesn't exist or user didn't find step 3 of generating the encryption keys of srp
+        // So what we do is we generate a random secure password and then encrypt it with a random pub-private key
+        // Then when user sign in (as login is not possible as isAccepted is false) we rencrypt the private key with the user password
+        if (!inviteeUser || (inviteeUser && !inviteeUser?.isAccepted && !existingEncryptionKey)) {
+          await userDAL.createUserEncryption(
+            {
+              userId: inviteeUserId,
+              encryptionVersion: 2
+            },
+            tx
+          );
+        }
+
+        if (plan?.slug !== "enterprise" && plan?.identityLimit && plan.identitiesUsed >= plan.identityLimit) {
+          // limit imposed on number of identities allowed / number of identities used exceeds the number of identities allowed
+          throw new BadRequestError({
+            name: "InviteUser",
+            message: "Failed to invite member due to member limit reached. Upgrade plan to invite more members."
+          });
+        }
+
+        await orgDAL.createMembership(
+          {
+            userId: inviteeUser.id,
+            inviteEmail: inviteeEmail,
+            orgId: org.id,
+            role: OrgMembershipRole.Admin,
+            status: inviteeUser.isAccepted ? OrgMembershipStatus.Accepted : OrgMembershipStatus.Invited,
+            isActive: true
+          },
+          tx
+        );
+
+        users.push(inviteeUser);
+      }
+
+      return { organization: org, users };
+    });
+
+    await licenseService.updateSubscriptionOrgMemberCount(organization.id);
+
+    await Promise.allSettled(
+      usersToEmail.map(async (user) => {
+        if (!user.email) return;
+
+        if (user.isAccepted) {
+          return smtpService.sendMail({
+            template: SmtpTemplates.OrgAssignment,
+            subjectLine: "You've been added to an Infisical organization",
+            recipients: [user.email],
+            substitutions: {
+              inviterFirstName: serverAdmin?.firstName,
+              inviterUsername: serverAdmin?.email,
+              organizationName: organization.name,
+              email: user.email,
+              organizationId: organization.id,
+              callback_url: `${appCfg.SITE_URL}/login?org_id=${organization.id}`
+            }
+          });
+        }
+
+        // new user, send regular invite
+
+        const token = await tokenService.createTokenForUser({
+          type: TokenType.TOKEN_EMAIL_ORG_INVITATION,
+          userId: user.id,
+          orgId: organization.id
+        });
+
+        return smtpService.sendMail({
+          template: SmtpTemplates.OrgInvite,
+          subjectLine: "Infisical organization invitation",
+          recipients: [user.email],
+          substitutions: {
+            inviterFirstName: serverAdmin?.firstName,
+            inviterUsername: serverAdmin?.email,
+            organizationName: organization.name,
+            email: user.email,
+            organizationId: organization.id,
+            token,
+            callback_url: `${appCfg.SITE_URL}/signupinvite`
+          }
+        });
+      })
+    );
+
+    return organization;
+  };
+
  const deleteOrganization = async (organizationId: string) => {
    const organization = await orgDAL.deleteById(organizationId);
    return organization;
@@ -763,6 +934,86 @@ export const superAdminServiceFactory = ({
    return organizationMembership;
  };

+  const joinOrganization = async (orgId: string, actor: OrgServiceActor) => {
+    const serverAdmin = await userDAL.findById(actor.id);
+
+    if (!serverAdmin) {
+      throw new NotFoundError({ message: "Could not find server admin user" });
+    }
+
+    const org = await orgDAL.findById(orgId);
+
+    if (!org) {
+      throw new NotFoundError({ message: `Could not organization with ID "${orgId}"` });
+    }
+
+    const existingOrgMembership = await orgMembershipDAL.findOne({ userId: serverAdmin.id, orgId });
+
+    if (existingOrgMembership) {
+      throw new BadRequestError({ message: `You are already a part of the organization with ID ${orgId}` });
+    }
+
+    const orgMembership = await orgDAL.createMembership({
+      userId: serverAdmin.id,
+      orgId: org.id,
+      role: OrgMembershipRole.Admin,
+      status: OrgMembershipStatus.Accepted,
+      isActive: true
+    });
+
+    return orgMembership;
+  };
+
+  const resendOrgInvite = async ({ organizationId, membershipId }: TResendOrgInviteDTO, actor: OrgServiceActor) => {
+    const orgMembership = await orgMembershipDAL.findOne({ id: membershipId, orgId: organizationId });
+
+    if (!orgMembership) {
+      throw new NotFoundError({ name: "Organization Membership", message: "Organization membership not found" });
+    }
+
+    if (orgMembership.status === OrgMembershipStatus.Accepted) {
+      throw new BadRequestError({
+        message: "This user has already accepted their invitation."
+      });
+    }
+
+    if (!orgMembership.userId) {
+      throw new NotFoundError({ message: "Cannot find user associated with Org Membership." });
+    }
+
+    if (!orgMembership.inviteEmail) {
+      throw new BadRequestError({ message: "No invite email associated with user." });
+    }
+
+    const org = await orgDAL.findOrgById(orgMembership.orgId);
+
+    const appCfg = getConfig();
+    const serverAdmin = await userDAL.findById(actor.id);
+
+    const token = await tokenService.createTokenForUser({
+      type: TokenType.TOKEN_EMAIL_ORG_INVITATION,
+      userId: orgMembership.userId,
+      orgId: orgMembership.orgId
+    });
+
+    await smtpService.sendMail({
+      template: SmtpTemplates.OrgInvite,
+      subjectLine: "Infisical organization invitation",
+      recipients: [orgMembership.inviteEmail],
+      substitutions: {
+        inviterFirstName: serverAdmin?.firstName,
+        inviterUsername: serverAdmin?.email,
+        organizationName: org?.name,
+        email: orgMembership.inviteEmail,
+        organizationId: orgMembership.orgId,
+        token,
+        callback_url: `${appCfg.SITE_URL}/signupinvite`
+      }
+    });
+
+    return orgMembership;
+  };
+
  const getIdentities = async ({ offset, limit, searchTerm }: TAdminGetIdentitiesDTO) => {
    const identities = await identityDAL.getIdentitiesByFilter({
      limit,
@@ -901,6 +1152,9 @@ export const superAdminServiceFactory = ({
    initializeEnvConfigSync,
    getEnvOverrides,
    getEnvOverridesOrganized,
-    deleteUsers
+    deleteUsers,
+    createOrganization,
+    joinOrganization,
+    resendOrgInvite
  };
 };
--- a/backend/src/services/super-admin/super-admin-types.ts
+++ b/backend/src/services/super-admin/super-admin-types.ts
@@ -34,6 +34,16 @@ export type TGetOrganizationsDTO = {
  searchTerm: string;
 };

+export type TCreateOrganizationDTO = {
+  name: string;
+  inviteAdminEmails: string[];
+};
+
+export type TResendOrgInviteDTO = {
+  organizationId: string;
+  membershipId: string;
+};
+
 export enum LoginMethod {
  EMAIL = "email",
  GOOGLE = "google",
--- a/docs/.eslintrc.js
+++ b/docs/.eslintrc.js
@@ -0,0 +1,40 @@
+module.exports = {
+  env: {
+    browser: true,
+    es2021: true,
+    node: true,
+  },
+  extends: [
+    'eslint:recommended',
+    'plugin:react/recommended',
+    'plugin:react/jsx-runtime',
+  ],
+  parser: '@babel/eslint-parser',
+  parserOptions: {
+    ecmaVersion: 2021,
+    sourceType: 'module',
+    ecmaFeatures: {
+      jsx: true,
+    },
+    requireConfigFile: false,
+    babelOptions: {
+      presets: ['@babel/preset-react'],
+    },
+  },
+  plugins: ['react'],
+  rules: {
+    'react/jsx-uses-react': 'error',
+    'react/jsx-uses-vars': 'error',
+  },
+  settings: {
+    react: {
+      version: 'detect',
+    },
+  },
+  ignorePatterns: [
+    'node_modules/',
+    'dist/',
+    'build/',
+    '*.config.js',
+  ],
+};
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Daniel Hougaard	e9c14d0c0f	docs: docs for ID and slug support across all operator CRDS	2025-09-05 14:15:27 +02:00
Vlad Matsiiako	b53c250ded	Merge pull request #4480 from Infisical/daniel/version-docs docs(secret-versioning): fixed inconsistencies	2025-09-04 21:03:55 -04:00
carlosmonastyrski	f9288a4d2b	Merge pull request #4475 from Infisical/fix/googleSsoEnforcedIssueWithSaml Fix Google SSO issue with SAML configs when SSO is enforced and not SAML	2025-09-04 17:50:43 -03:00
Carlos Monastyrski	6c2ea93822	Improve handleSelectOrganization logic for SSO enforcement	2025-09-04 17:43:40 -03:00
Daniel Hougaard	ab2fae1516	docs(secret-versioning): fixed inconsistancies	2025-09-04 21:51:34 +02:00
carlosmonastyrski	e2be867c95	Merge pull request #4478 from Infisical/fix/pkiCollectionTemplates Fix pki issue where certificate template collection overwrites users collection param	2025-09-04 14:52:05 -03:00
Carlos Monastyrski	0baa0dcfb7	Fix pki issue where certificate template collection overwrites users collection param	2025-09-04 14:41:47 -03:00
Maidul Islam	94027239e0	Merge pull request #4476 from Infisical/feat/primary-proxy feat: primary forwarding mode completed	2025-09-04 13:04:56 -04:00
=	0c26fcbb0f	feat: addressed all review comments	2025-09-04 22:29:16 +05:30
=	035156bcc3	feat: primary forwarding mode completed	2025-09-04 22:29:16 +05:30
carlosmonastyrski	c116eb9ed2	Merge pull request #4452 from Infisical/ENG-3546 Add offline reports	2025-09-04 11:58:12 -03:00
Carlos Monastyrski	8b84fc093f	Improve description of Google SSO enforcement	2025-09-04 11:56:09 -03:00
Carlos Monastyrski	00a522f9d0	Fix Google SSO issue with SAML configs when SSO is enforced and not SAML	2025-09-04 11:53:33 -03:00
Carlos Monastyrski	839b27d5bf	Minor improvements on offline usage report	2025-09-04 09:45:44 -03:00
Carlos Monastyrski	1909fae076	Merge remote-tracking branch 'origin/main' into ENG-3546	2025-09-04 09:43:55 -03:00
Daniel Hougaard	735ddc1138	Merge pull request #4461 from Infisical/daniel/php-sdk-docs docs: php sdk	2025-09-04 06:45:44 +02:00
carlosmonastyrski	3b235e3668	Merge pull request #4472 from Infisical/fix/improveSearchCategories Improve docs search categories	2025-09-03 23:19:19 -03:00
Carlos Monastyrski	5c2dc32ded	Small docs change	2025-09-03 23:17:30 -03:00
Carlos Monastyrski	d84572532a	Small docs change	2025-09-03 23:14:19 -03:00
Carlos Monastyrski	93341ef6e5	Improve docs search categories	2025-09-03 22:56:01 -03:00
Scott Wilson	3d78984320	Merge pull request #4456 from Infisical/server-admin-additions feature(server-admin): Revamp server admin UI and create org additions	2025-09-03 18:45:11 -07:00
Daniel Hougaard	4a55500325	Update php.mdx	2025-09-04 03:09:52 +02:00
Daniel Hougaard	3dae165710	Merge pull request #4470 from Infisical/daniel/custom-vault-migration-ui feat(vault-migration): custom migrations UI	2025-09-04 03:06:21 +02:00
Daniel Hougaard	a94635e5be	Update external-migration-router.ts	2025-09-04 02:57:44 +02:00
Daniel Hougaard	912cd5d20a	linting	2025-09-04 02:54:53 +02:00
Daniel Hougaard	e29a0e487e	feat(vault-migration): custom migrations UI	2025-09-04 02:35:17 +02:00
Daniel Hougaard	8aa270545d	Merge pull request #4469 from Infisical/daniel/user-specific-vault-migration feat(vault-migration): custom migration	2025-09-04 01:31:41 +02:00
Daniel Hougaard	3c24132e97	feat(vault-migration): custom migration	2025-09-04 00:19:09 +02:00
Daniel Hougaard	38a7cb896b	Merge pull request #3519 from danielwaghorn/fix-3517 Updates IP Library to fix #3517	2025-09-03 21:10:59 +02:00
Daniel Hougaard	6abd58ee21	Update index.ts	2025-09-03 20:43:15 +02:00
Daniel Hougaard	c8275f41a3	Update index.ts	2025-09-03 20:40:51 +02:00
Scott Wilson	a6d8ca5a6b	chore: format imports	2025-09-03 09:50:50 -07:00
Scott Wilson	c6b1af5737	improvements: address feedback	2025-09-03 09:48:51 -07:00
Daniel Hougaard	8467286aa3	Merge branch 'heads/main' into pr/3519	2025-09-03 15:02:35 +02:00
carlosmonastyrski	cea43d497d	Merge pull request #4454 from Infisical/ENG-3547 Add searchable component to docs	2025-09-03 00:21:03 -03:00
Scott Wilson	3700597ba7	improvement: alpha sort explorer options	2025-09-02 20:11:36 -07:00
carlosmonastyrski	65f0597bd8	Merge pull request #4460 from Infisical/fix/selectOrganizationAdminBypass Fix blocking issue for auth admin bypass on selectOrganization	2025-09-02 22:09:57 -03:00
Carlos Monastyrski	5b3cae7255	Docs improvements	2025-09-02 21:34:07 -03:00
x032205	a4ff6340f8	Merge pull request #4455 from Infisical/ENG-3635 feat(app-connection, secret-sync): HC Vault Gateway Support	2025-09-02 19:31:05 -04:00
Daniel Hougaard	c802b4aa3a	Update php.mdx	2025-09-03 01:27:42 +02:00
Daniel Hougaard	b7d202c33a	Update php.mdx	2025-09-03 01:27:16 +02:00
Daniel Hougaard	2fc9725b24	Update php.mdx	2025-09-03 01:26:09 +02:00
x032205	bfb2486204	Fix error typing	2025-09-02 18:53:59 -04:00
x032205	c29b5e37f3	Review fixes	2025-09-02 18:52:08 -04:00
Scott Wilson	2b1a36a96d	improvements: address additional feedback	2025-09-02 15:34:45 -07:00
Daniel Hougaard	5a2058d24a	docs: php sdk	2025-09-03 00:32:22 +02:00
Carlos Monastyrski	e666409026	Lint fix	2025-09-02 18:33:44 -03:00
Carlos Monastyrski	ecfc8b5f87	Fix blocking issue for auth admin bypass on selectOrganization	2025-09-02 18:26:33 -03:00
Scott Wilson	435bcd03d3	feature: add ability to join org as super admin	2025-09-02 13:33:28 -07:00
Scott Wilson	4d6e12d6b2	improvements: address feedback	2025-09-02 12:44:02 -07:00
x032205	a6b4939ea5	Merge pull request #4453 from Infisical/lockout-lock-fix Lockout lock fix	2025-09-02 15:17:19 -04:00
x032205	640dccadb7	Improve lock logging	2025-09-02 14:26:39 -04:00
x032205	3ebd5305c2	Lock retry	2025-09-02 14:13:12 -04:00
carlosmonastyrski	8d1c0b432b	Merge pull request #4429 from Infisical/ENG-3533 Add Github Bulk Team Sync	2025-09-02 13:55:53 -03:00
Carlos Monastyrski	be588c2653	Improve github manual sync message and docs	2025-09-02 12:38:02 -03:00
Carlos Monastyrski	88155576a2	Merge remote-tracking branch 'origin/main' into ENG-3546	2025-09-02 10:04:03 -03:00
Scott Wilson	394538769b	feature: revamp server admin UI and create org additions	2025-09-01 22:03:48 -07:00
x032205	f7828ed458	Update docs	2025-09-01 23:28:32 -04:00
x032205	b40bb72643	feat(secret-sync): HC Vault Secret Sync Gateway Support	2025-09-01 23:22:59 -04:00
x032205	4f1cd69bcc	feat(app-connection): HC Vault Gateway Support	2025-09-01 22:40:41 -04:00
Carlos Monastyrski	4d4b4c13c3	Address greptile comments	2025-09-01 23:11:00 -03:00
Carlos Monastyrski	c8bf9049de	Add searchable component to docs	2025-09-01 22:56:27 -03:00
x032205	ab91863c77	fix(app-connection): HC Vault Sanitized Schema Fix	2025-09-01 21:48:12 -04:00
Carlos Monastyrski	14473c742c	Address greptile comments	2025-09-01 21:18:48 -03:00
x032205	6db4c614af	Make logic slightly more robust	2025-09-01 18:30:18 -04:00
x032205	21e2db2963	Swap to redis lock	2025-09-01 18:24:55 -04:00
Carlos Monastyrski	4063cf5294	Add offline reports	2025-09-01 18:50:54 -03:00
Carlos Monastyrski	da0d4a31b1	Fix license-fns used for testing	2025-09-01 16:01:30 -03:00
Carlos Monastyrski	b7d3ddff21	Improvements on github bulk sync	2025-09-01 15:55:08 -03:00
Scott Wilson	a3c6b1134b	Merge pull request #4451 from Infisical/external-imports-ui-improvement improvement(frontend): Clarify external import provider names and add logos	2025-09-01 10:04:47 -07:00
Scott Wilson	d931725930	improvement: clarify external import provider names and add logo icons	2025-09-01 09:47:59 -07:00
Akhil Mohan	6702498028	Merge pull request #4450 from Infisical/fix/bring-back-overviewpage feat: union said - bring back overview page!!	2025-09-01 14:47:29 +05:30
=	b650b142f7	feat: union said - bring back overview page!!	2025-09-01 14:43:24 +05:30
Daniel Hougaard	19a5f52d20	Merge pull request #4447 from Supsource/main Fix broken SDK link in docs	2025-08-31 19:43:06 +02:00
Supriyo	e51c5256a0	Fix broken SDK link in docs	2025-08-31 22:38:17 +05:30
carlosmonastyrski	3bb0c9b3ad	Merge pull request #4446 from Infisical/fix/selectOrgSamlEnforced Check token source before throwing an error for auth enforced scenarios	2025-08-31 13:49:09 -03:00
Carlos Monastyrski	41404148e1	Improve error message	2025-08-31 13:37:41 -03:00
Carlos Monastyrski	e04e11f597	Check token source before throwing an error for auth enforced scenarios	2025-08-31 13:24:08 -03:00
Sheen	5fffa17c30	Merge pull request #4444 from Infisical/fix/revert-lockout-login feat: reverted lockout in login completely	2025-08-30 23:12:13 +08:00
=	3fa6154517	feat: reverted lockout in login completely	2025-08-30 20:39:37 +05:30
Maidul Islam	1d5cdb4000	Merge pull request #4443 from Infisical/disable-lockout Disable lock	2025-08-29 22:43:36 -04:00
x032205	a1b53855bb	Fix lint	2025-08-29 22:33:45 -04:00
x032205	b447ccd3f0	Disable lock	2025-08-29 22:26:59 -04:00
carlosmonastyrski	2058afb3e0	Merge pull request #4435 from Infisical/ENG-3622 Improve Audit Logs permissions	2025-08-29 20:44:30 -03:00
Daniel Hougaard	dc0a7d3a70	Merge pull request #4442 from Infisical/daniel/vault-migration fix(vault-migration): ui bug	2025-08-30 01:40:20 +02:00
Daniel Hougaard	53618a4bd8	Update VaultPlatformModal.tsx	2025-08-30 01:38:28 +02:00
x032205	d6ca2cdc2e	Merge pull request #4441 from Infisical/get-secret-endpoint-fix Include secretPath in "get secret by name" API response	2025-08-29 19:08:12 -04:00
Daniel Hougaard	acf3bdc5a3	Merge pull request #4440 from Infisical/daniel/vault-migration feat(vault-migration): gateway support & kv v1 support	2025-08-30 01:02:46 +02:00
x032205	533d9cea38	Include secretPath in "get secret by name" API response	2025-08-29 18:56:47 -04:00
x032205	82faf3a797	Merge pull request #4436 from Infisical/ENG-3536 feat(PKI): External CA EAB Support + DigiCert Docs	2025-08-29 18:03:57 -04:00
Daniel Hougaard	ece0af7787	Merge branch 'daniel/vault-migration' of https://github.com/Infisical/infisical into daniel/vault-migration	2025-08-29 23:57:47 +02:00
Daniel Hougaard	6bccb1e5eb	Update vault.mdx	2025-08-29 23:57:36 +02:00
Carlos Monastyrski	dc23abdb86	Change view to read on org audit log label	2025-08-29 18:36:22 -03:00
Daniel Hougaard	8d3be92d09	Update frontend/src/pages/organization/SettingsPage/components/ExternalMigrationsTab/components/VaultPlatformModal.tsx Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com>	2025-08-29 23:32:58 +02:00
x032205	1e7f0f8a39	Fix modal render issue	2025-08-29 17:31:39 -04:00
Daniel Hougaard	c99a4b7cc8	feat(vault-migration): gateway support & kv v1 support	2025-08-29 23:27:12 +02:00
Scott Wilson	e3838643e5	Merge pull request #4426 from Infisical/secret-dashboard-update improvement(frontend): Remove secret overview page and re-vamp secret dashboard	2025-08-29 14:18:24 -07:00
x032205	5bd961735d	Update docs	2025-08-29 17:15:42 -04:00
Scott Wilson	1147cfcea4	chore: fix lint	2025-08-29 13:49:08 -07:00
Scott Wilson	abb577e4e9	fix: prevent folder click on navigation from duplicating path addition	2025-08-29 13:39:38 -07:00
x032205	29dd49d696	Merge pull request #4394 from Infisical/ENG-3506 feat(identities): Universal Auth Login Lockout	2025-08-29 15:35:17 -04:00
x032205	0f76003f77	UX Tweaks	2025-08-29 15:23:41 -04:00
x032205	1c4dfbe028	Merge branch 'main' into ENG-3506	2025-08-29 14:56:06 -04:00
Scott Wilson	65be2e7f7b	Merge pull request #4427 from Infisical/fix-inference-attack improvement(frontend): Use fixed length mask for secrets when unfocused to prevent inference attacks	2025-08-29 10:47:26 -07:00
Scott Wilson	cf64c89ea3	fix: add folder exists check to dashboard router endpoint	2025-08-29 10:46:59 -07:00
Daniel Hougaard	d934f03597	Merge pull request #4438 from Infisical/daniel/remove-sdk-contributor-doc docs: remove sdk contributor doc	2025-08-29 16:16:43 +02:00
Daniel Hougaard	e051cfd146	update terraform references	2025-08-29 15:59:57 +02:00
Daniel Hougaard	be30327dc9	moved terraform docs	2025-08-29 15:50:53 +02:00
Daniel Hougaard	f9784f15ed	docs: remove sdk contributor doc	2025-08-29 15:43:53 +02:00
x032205	8e42fdaf5b	feat(PKI): External CA EAB Support + DigiCert Docs	2025-08-29 01:41:47 -04:00
Carlos Monastyrski	2a52463585	Improve Audit Log Org Permission Label	2025-08-28 20:47:10 -03:00
Carlos Monastyrski	20287973b1	Improve Audit Logs permissions	2025-08-28 20:33:59 -03:00
Scott Wilson	7f958e6d89	chore: merge main	2025-08-28 15:13:41 -07:00
Scott Wilson	e7138f1be9	improvements: address feedback and additional bugs	2025-08-28 15:10:28 -07:00
Sid	01fba20872	feat: merge sdk docs (#4408 )	2025-08-29 03:19:21 +05:30
carlosmonastyrski	696a70577a	Merge pull request #4422 from Infisical/feat/azurePkiConnector Added Microsoft ADCS PKI Connector	2025-08-28 17:15:24 -03:00
Carlos Monastyrski	8ba61e8293	Merge remote-tracking branch 'origin/main' into feat/azurePkiConnector	2025-08-28 16:50:18 -03:00
Carlos Monastyrski	5944642278	Minor UI improvement and updated Github sync document	2025-08-28 16:49:13 -03:00
Daniel Hougaard	f5434b5cba	Merge pull request #4433 from Infisical/daniel/ansible-oidc-doc docs(ansible): oidc auth	2025-08-28 21:25:45 +02:00
Daniel Hougaard	1159b74bdb	Update ansible.mdx	2025-08-28 21:20:00 +02:00
Daniel Hougaard	bc4885b098	Update ansible.mdx	2025-08-28 21:12:00 +02:00
Carlos Monastyrski	97be78a107	Doc improvement	2025-08-28 15:54:16 -03:00
Carlos Monastyrski	4b42f7b1b5	Add ssl fix for certificates with different hostname than the IP and doc improvement	2025-08-28 14:38:49 -03:00
Scott Wilson	3de7fec650	Merge pull request #4432 from Infisical/project-view-select-improvements improvement(frontend): Revise Project View Select UI on Project Overview Page	2025-08-28 10:25:52 -07:00
Carlos Monastyrski	07a55bb943	Improve validate token UI	2025-08-28 10:05:49 -03:00
Carlos Monastyrski	7894bd8ae1	Improve messaging	2025-08-28 09:49:38 -03:00
Carlos Monastyrski	5eee99e9ac	RE2 fixes	2025-08-28 09:21:45 -03:00
Carlos Monastyrski	e8ef0191d6	Lint fix and greptile comments addressed	2025-08-28 01:27:07 -03:00
Carlos Monastyrski	7d74dce82b	Add Github Bulk Team Sync	2025-08-28 01:13:25 -03:00
Scott Wilson	43dd45de29	improvement: used fix length mask for secrets when unfocused to prevent inference attacks	2025-08-27 18:20:01 -07:00
Carlos Monastyrski	13b20806ba	Improvements on Azure ADCS PKI feature	2025-08-27 21:20:10 -03:00
Scott Wilson	49b5ab8126	improvement: add missing key prop	2025-08-27 17:00:26 -07:00
Scott Wilson	c99d5c210c	improvement: remove overview page and re-vamp secret dashboard	2025-08-27 16:51:15 -07:00
Carlos Monastyrski	0762de93d6	Use ProjectPermissionSub.CertificateAuthorities for getAzureAdcsTemplates instead of certificates	2025-08-27 10:15:29 -03:00
x032205	8d6461b01d	- Swap to using ms in some frontend areas - Rename button from "Clear All Lockouts" to "Reset All Lockouts" - Add a tooltip to the red lock icon on auth row - Make the red lock icon go away after resetting all lockouts	2025-08-27 04:47:21 -04:00
x032205	f52dbaa2f2	Merge branch 'main' into ENG-3506	2025-08-27 04:10:12 -04:00
Carlos Monastyrski	0c92764409	Type fix	2025-08-27 05:07:02 -03:00
Carlos Monastyrski	976317e71b	Remove axios-ntlm and fix import of httpntlm	2025-08-27 04:58:18 -03:00
Carlos Monastyrski	7b52d60036	Addressed greptlie comments and suggestions	2025-08-27 04:04:39 -03:00
Carlos Monastyrski	83479a091e	Removed field used for testing from pki subscribers	2025-08-27 02:52:58 -03:00
Carlos Monastyrski	4e2592960d	Added Microsoft ADCS connector	2025-08-27 02:45:46 -03:00
x032205	8d5b6a17b1	Remove async from migration	2025-08-26 20:44:23 -04:00
x032205	8945bc0dc1	Review fixes	2025-08-26 20:40:16 -04:00
x032205	1b22438c46	Fix migration	2025-08-26 03:11:10 -04:00
x032205	57c667f0b1	Improve getObjectFromSeconds func	2025-08-19 15:40:01 +08:00
x032205	15d3638612	Type check fixes	2025-08-19 15:38:07 +08:00
x032205	ebd3b5c9d1	UI polish: Add better time inputs and tooltips	2025-08-19 15:24:20 +08:00
x032205	5136dbc543	Tooltips for inputs	2025-08-19 14:05:56 +08:00
x032205	bceddab89f	Greptile review fixes	2025-08-19 14:01:39 +08:00
x032205	6d5bed756a	feat(identities): Universal Auth Login Lockout	2025-08-18 23:57:31 +08:00
Daniel Waghorn	a7f33d669f	Updates IP Library to fix #3517	2025-08-17 19:46:40 +01:00