web: break application view into constituent parts

As part of the project to make the verticals more controllable and responsive, this commit breaks the ApplicationView into two different parts: The API layer and the rendering layer. The rendering layer is officially dumb beyond words; it knows nothing at all about Applications, RBAC, or Outposts; it just draws what it's told to draw. It has parts inside that have their own reactivity, but that reactivity means nothing to the renderer. The Renderer itself is broken into two: The LoadingRenderer works when there is no application, and the regular Renderer is build when there is. Typescript's check makes it impossible to attempt to use the standard renderer when there is no application, so all of the `this.application?` checks just... go away. A _huge_ section of the View is the control card, which offers the user the power to visit the provider, provide access to the backchannel providers, edit the application, run an access check against a given user, and launch the application. All of these features were heavily obscured by a blizzard of dg/dl/dt/dd html objects that made it hard to see what was in there. Each "description" pair has been broken out into a tuple of Term and Description, with filters to remove the ones that aren't applicable whenever an application doesn't have, for example, a launch url, or backchannel providers, and a utility function I wrote _ages_ ago renders the description list syntax for me without my having to do it all by hand. The nice thing about this work is that it now allows me to *see* where in the ApplicationView code to focus my efforts on providing activation hooks for the "create a new policy," "assign a new permission to a user," or "edit an application" commands that should be accessible by the palette, or even from the sidebar. The other nice thing is that it reveals just *where* in our code to focus our efforts on revamping our styling, and making it better for ourselves and our users. There's a reason I call this my *legibility project*. It didn't even take that long... about 2½ hours, and I'm only going to get faster at it as the needs of the different components become clear.
Added comments to explain something.
2024-05-08 17:47:26 -07:00 · 2024-05-08 13:56:46 -07:00 · 2024-05-08 13:50:47 -07:00 · 2024-05-08 13:38:49 -07:00 · 2024-05-08 08:06:05 -07:00 · 2024-05-07 08:49:15 -07:00
876 changed files with 19377 additions and 45686 deletions
--- a/.bumpversion.cfg
+++ b/.bumpversion.cfg
@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 2024.6.1
+current_version = 2024.4.2
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)(?:-(?P<rc_t>[a-zA-Z-]+)(?P<rc_n>[1-9]\\d*))?
@ -17,8 +17,6 @@ optional_value = final

 [bumpversion:file:pyproject.toml]

-[bumpversion:file:package.json]
-
 [bumpversion:file:docker-compose.yml]

 [bumpversion:file:schema.yml]
--- a/.github/actions/comment-pr-instructions/action.yml
+++ b/.github/actions/comment-pr-instructions/action.yml
@ -54,10 +54,9 @@ runs:
            authentik:
                outposts:
                    container_image_base: ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
-            global:
-                image:
-                    repository: ghcr.io/goauthentik/dev-server
-                    tag: ${{ inputs.tag }}
+            image:
+                repository: ghcr.io/goauthentik/dev-server
+                tag: ${{ inputs.tag }}
            ```

            For arm64, use these values:
@ -66,10 +65,9 @@ runs:
            authentik:
                outposts:
                    container_image_base: ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
-            global:
-                image:
-                    repository: ghcr.io/goauthentik/dev-server
-                    tag: ${{ inputs.tag }}-arm64
+            image:
+                repository: ghcr.io/goauthentik/dev-server
+                tag: ${{ inputs.tag }}-arm64
            ```

            Afterwards, run the upgrade commands from the latest release notes.
--- a/.github/actions/setup/docker-compose.yml
+++ b/.github/actions/setup/docker-compose.yml
@ -1,3 +1,5 @@
+version: "3.7"
+
 services:
  postgresql:
    image: docker.io/library/postgres:${PSQL_TAG:-16}
--- a/.github/codespell-words.txt
+++ b/.github/codespell-words.txt
@ -4,4 +4,3 @@ hass
 warmup
 ontext
 singed
-assertIn
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@ -21,10 +21,7 @@ updates:
    labels:
      - dependencies
  - package-ecosystem: npm
-    directories:
-      - "/web"
-      - "/tests/wdio"
-      - "/web/sfe"
+    directory: "/web"
    schedule:
      interval: daily
      time: "04:00"
@ -33,6 +30,7 @@ updates:
    open-pull-requests-limit: 10
    commit-message:
      prefix: "web:"
+    # TODO: deduplicate these groups
    groups:
      sentry:
        patterns:
@ -58,6 +56,38 @@ updates:
        patterns:
          - "@rollup/*"
          - "rollup-*"
+  - package-ecosystem: npm
+    directory: "/tests/wdio"
+    schedule:
+      interval: daily
+      time: "04:00"
+    labels:
+      - dependencies
+    open-pull-requests-limit: 10
+    commit-message:
+      prefix: "web:"
+    # TODO: deduplicate these groups
+    groups:
+      sentry:
+        patterns:
+          - "@sentry/*"
+          - "@spotlightjs/*"
+      babel:
+        patterns:
+          - "@babel/*"
+          - "babel-*"
+      eslint:
+        patterns:
+          - "@typescript-eslint/*"
+          - "eslint"
+          - "eslint-*"
+      storybook:
+        patterns:
+          - "@storybook/*"
+          - "*storybook*"
+      esbuild:
+        patterns:
+          - "@esbuild/*"
      wdio:
        patterns:
          - "@wdio/*"
--- a/.github/workflows/api-ts-publish.yml
+++ b/.github/workflows/api-ts-publish.yml
@ -31,12 +31,7 @@ jobs:
        env:
          NODE_AUTH_TOKEN: ${{ secrets.NPM_PUBLISH_TOKEN }}
      - name: Upgrade /web
-        working-directory: web
-        run: |
-          export VERSION=`node -e 'console.log(require("../gen-ts-api/package.json").version)'`
-          npm i @goauthentik/api@$VERSION
-      - name: Upgrade /web/sfe
-        working-directory: web/sfe
+        working-directory: web/
        run: |
          export VERSION=`node -e 'console.log(require("../gen-ts-api/package.json").version)'`
          npm i @goauthentik/api@$VERSION
--- a/.github/workflows/ci-main.yml
+++ b/.github/workflows/ci-main.yml
@ -50,6 +50,7 @@ jobs:
      fail-fast: false
      matrix:
        psql:
+          - 12-alpine
          - 15-alpine
          - 16-alpine
    steps:
@ -103,6 +104,7 @@ jobs:
      fail-fast: false
      matrix:
        psql:
+          - 12-alpine
          - 15-alpine
          - 16-alpine
    steps:
@ -219,7 +221,7 @@ jobs:
        with:
          ref: ${{ github.event.pull_request.head.sha }}
      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3.1.0
+        uses: docker/setup-qemu-action@v3.0.0
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
      - name: prepare variables
@ -240,7 +242,7 @@ jobs:
      - name: generate ts client
        run: make gen-client-ts
      - name: Build Docker Image
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@v5
        with:
          context: .
          secrets: |
@ -250,8 +252,8 @@ jobs:
          push: ${{ steps.ev.outputs.shouldBuild == 'true' }}
          build-args: |
            GIT_BUILD_HASH=${{ steps.ev.outputs.sha }}
-          cache-from: type=registry,ref=ghcr.io/goauthentik/dev-server:buildcache
-          cache-to: type=registry,ref=ghcr.io/goauthentik/dev-server:buildcache,mode=max
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
          platforms: linux/${{ matrix.arch }}
  pr-comment:
    needs:
--- a/.github/workflows/ci-outpost.yml
+++ b/.github/workflows/ci-outpost.yml
@ -76,7 +76,7 @@ jobs:
        with:
          ref: ${{ github.event.pull_request.head.sha }}
      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3.1.0
+        uses: docker/setup-qemu-action@v3.0.0
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
      - name: prepare variables
@ -96,7 +96,7 @@ jobs:
      - name: Generate API
        run: make gen-client-go
      - name: Build Docker Image
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@v5
        with:
          tags: ${{ steps.ev.outputs.imageTags }}
          file: ${{ matrix.type }}.Dockerfile
@ -105,8 +105,8 @@ jobs:
            GIT_BUILD_HASH=${{ steps.ev.outputs.sha }}
          platforms: linux/amd64,linux/arm64
          context: .
-          cache-from: type=registry,ref=ghcr.io/goauthentik/dev-${{ matrix.type }}:buildcache
-          cache-to: type=registry,ref=ghcr.io/goauthentik/dev-${{ matrix.type }}:buildcache,mode=max
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
  build-binary:
    timeout-minutes: 120
    needs:
--- a/.github/workflows/ci-web.yml
+++ b/.github/workflows/ci-web.yml
@ -12,36 +12,14 @@ on:
      - version-*

 jobs:
-  lint:
+  lint-eslint:
    runs-on: ubuntu-latest
    strategy:
      fail-fast: false
      matrix:
-        command:
-          - lint
-          - lint:lockfile
-          - tsc
-          - prettier-check
        project:
          - web
          - tests/wdio
-        include:
-          - command: tsc
-            project: web
-            extra_setup: |
-              cd sfe/ && npm ci
-          - command: lit-analyse
-            project: web
-            extra_setup: |
-              # lit-analyse doesn't understand path rewrites, so make it
-              # belive it's an actual module
-              cd node_modules/@goauthentik
-              ln -s ../../src/ web
-        exclude:
-          - command: lint:lockfile
-            project: tests/wdio
-          - command: tsc
-            project: tests/wdio
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
@ -50,17 +28,85 @@ jobs:
          cache: "npm"
          cache-dependency-path: ${{ matrix.project }}/package-lock.json
      - working-directory: ${{ matrix.project }}/
-        run: |
-          npm ci
-          ${{ matrix.extra_setup }}
+        run: npm ci
      - name: Generate API
        run: make gen-client-ts
-      - name: Lint
+      - name: Eslint
        working-directory: ${{ matrix.project }}/
-        run: npm run ${{ matrix.command }}
+        run: npm run lint
+  lint-lockfile:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - working-directory: web/
+        run: |
+          [ -z "$(jq -r '.packages | to_entries[] | select((.key | startswith("node_modules")) and (.value | has("resolved") | not)) | .key' < package-lock.json)" ]
+  lint-build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version-file: web/package.json
+          cache: "npm"
+          cache-dependency-path: web/package-lock.json
+      - working-directory: web/
+        run: npm ci
+      - name: Generate API
+        run: make gen-client-ts
+      - name: TSC
+        working-directory: web/
+        run: npm run tsc
+  lint-prettier:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        project:
+          - web
+          - tests/wdio
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version-file: ${{ matrix.project }}/package.json
+          cache: "npm"
+          cache-dependency-path: ${{ matrix.project }}/package-lock.json
+      - working-directory: ${{ matrix.project }}/
+        run: npm ci
+      - name: Generate API
+        run: make gen-client-ts
+      - name: prettier
+        working-directory: ${{ matrix.project }}/
+        run: npm run prettier-check
+  lint-lit-analyse:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version-file: web/package.json
+          cache: "npm"
+          cache-dependency-path: web/package-lock.json
+      - working-directory: web/
+        run: |
+          npm ci
+          # lit-analyse doesn't understand path rewrites, so make it
+          # belive it's an actual module
+          cd node_modules/@goauthentik
+          ln -s ../../src/ web
+      - name: Generate API
+        run: make gen-client-ts
+      - name: lit-analyse
+        working-directory: web/
+        run: npm run lit-analyse
  ci-web-mark:
    needs:
-      - lint
+      - lint-lockfile
+      - lint-eslint
+      - lint-prettier
+      - lint-lit-analyse
+      - lint-build
    runs-on: ubuntu-latest
    steps:
      - run: echo mark
@ -82,21 +128,3 @@ jobs:
      - name: build
        working-directory: web/
        run: npm run build
-  test:
-    needs:
-      - ci-web-mark
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
-        with:
-          node-version-file: web/package.json
-          cache: "npm"
-          cache-dependency-path: web/package-lock.json
-      - working-directory: web/
-        run: npm ci
-      - name: Generate API
-        run: make gen-client-ts
-      - name: test
-        working-directory: web/
-        run: npm run test
--- a/.github/workflows/ci-website.yml
+++ b/.github/workflows/ci-website.yml
@ -12,21 +12,27 @@ on:
      - version-*

 jobs:
-  lint:
+  lint-lockfile:
    runs-on: ubuntu-latest
-    strategy:
-      fail-fast: false
-      matrix:
-        command:
-          - lint:lockfile
-          - prettier-check
    steps:
      - uses: actions/checkout@v4
+      - working-directory: website/
+        run: |
+          [ -z "$(jq -r '.packages | to_entries[] | select((.key | startswith("node_modules")) and (.value | has("resolved") | not)) | .key' < package-lock.json)" ]
+  lint-prettier:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version-file: website/package.json
+          cache: "npm"
+          cache-dependency-path: website/package-lock.json
      - working-directory: website/
        run: npm ci
-      - name: Lint
+      - name: prettier
        working-directory: website/
-        run: npm run ${{ matrix.command }}
+        run: npm run prettier-check
  test:
    runs-on: ubuntu-latest
    steps:
@ -63,7 +69,8 @@ jobs:
        run: npm run ${{ matrix.job }}
  ci-website-mark:
    needs:
-      - lint
+      - lint-lockfile
+      - lint-prettier
      - test
      - build
    runs-on: ubuntu-latest
--- a/.github/workflows/release-publish.yml
+++ b/.github/workflows/release-publish.yml
@ -14,7 +14,7 @@ jobs:
    steps:
      - uses: actions/checkout@v4
      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3.1.0
+        uses: docker/setup-qemu-action@v3.0.0
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
      - name: prepare variables
@ -40,7 +40,7 @@ jobs:
          mkdir -p ./gen-ts-api
          mkdir -p ./gen-go-api
      - name: Build Docker Image
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@v5
        with:
          context: .
          push: true
@ -68,7 +68,7 @@ jobs:
        with:
          go-version-file: "go.mod"
      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3.1.0
+        uses: docker/setup-qemu-action@v3.0.0
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
      - name: prepare variables
@ -94,7 +94,7 @@ jobs:
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Build Docker Image
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@v5
        with:
          push: true
          tags: ${{ steps.ev.outputs.imageTags }}
@ -155,8 +155,8 @@ jobs:
      - uses: actions/checkout@v4
      - name: Run test suite in final docker images
        run: |
-          echo "PG_PASS=$(openssl rand 32 | base64 -w 0)" >> .env
-          echo "AUTHENTIK_SECRET_KEY=$(openssl rand 32 | base64 -w 0)" >> .env
+          echo "PG_PASS=$(openssl rand 32 | base64)" >> .env
+          echo "AUTHENTIK_SECRET_KEY=$(openssl rand 32 | base64)" >> .env
          docker compose pull -q
          docker compose up --no-start
          docker compose start postgresql redis
--- a/.github/workflows/release-tag.yml
+++ b/.github/workflows/release-tag.yml
@ -14,8 +14,8 @@ jobs:
      - uses: actions/checkout@v4
      - name: Pre-release test
        run: |
-          echo "PG_PASS=$(openssl rand 32 | base64 -w 0)" >> .env
-          echo "AUTHENTIK_SECRET_KEY=$(openssl rand 32 | base64 -w 0)" >> .env
+          echo "PG_PASS=$(openssl rand 32 | base64)" >> .env
+          echo "AUTHENTIK_SECRET_KEY=$(openssl rand 32 | base64)" >> .env
          docker buildx install
          mkdir -p ./gen-ts-api
          docker build -t testing:latest .
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@ -4,21 +4,20 @@
        "asgi",
        "authentik",
        "authn",
-        "entra",
        "goauthentik",
        "jwks",
-        "kubernetes",
        "oidc",
        "openid",
-        "passwordless",
        "plex",
        "saml",
-        "scim",
-        "slo",
-        "sso",
        "totp",
-        "traefik",
        "webauthn",
+        "traefik",
+        "passwordless",
+        "kubernetes",
+        "sso",
+        "slo",
+        "scim",
    ],
    "todo-tree.tree.showCountsInTree": true,
    "todo-tree.tree.showBadges": true,
--- a/42
+++ b/42
@ -22,33 +22,23 @@ RUN npm run build-bundled
 # Stage 2: Build webui
 FROM --platform=${BUILDPLATFORM} docker.io/node:22 as web-builder

-ARG GIT_BUILD_HASH
-ENV GIT_BUILD_HASH=$GIT_BUILD_HASH
 ENV NODE_ENV=production

 WORKDIR /work/web

 RUN --mount=type=bind,target=/work/web/package.json,src=./web/package.json \
    --mount=type=bind,target=/work/web/package-lock.json,src=./web/package-lock.json \
-    --mount=type=bind,target=/work/web/sfe/package.json,src=./web/sfe/package.json \
-    --mount=type=bind,target=/work/web/sfe/package-lock.json,src=./web/sfe/package-lock.json \
-    --mount=type=bind,target=/work/web/scripts,src=./web/scripts \
    --mount=type=cache,id=npm-web,sharing=shared,target=/root/.npm \
-    npm ci --include=dev && \
-    cd sfe && \
    npm ci --include=dev

-COPY ./package.json /work
 COPY ./web /work/web/
 COPY ./website /work/website/
 COPY ./gen-ts-api /work/web/node_modules/@goauthentik/api

-RUN npm run build && \
-    cd sfe && \
-    npm run build
+RUN npm run build

 # Stage 3: Build go proxy
-FROM --platform=${BUILDPLATFORM} mcr.microsoft.com/oss/go/microsoft/golang:1.22-fips-bookworm AS go-builder
+FROM --platform=${BUILDPLATFORM} docker.io/golang:1.22.3-bookworm AS go-builder

 ARG TARGETOS
 ARG TARGETARCH
@ -59,11 +49,6 @@ ARG GOARCH=$TARGETARCH

 WORKDIR /go/src/goauthentik.io

-RUN --mount=type=cache,id=apt-$TARGETARCH$TARGETVARIANT,sharing=locked,target=/var/cache/apt \
-    dpkg --add-architecture arm64 && \
-    apt-get update && \
-    apt-get install -y --no-install-recommends crossbuild-essential-arm64 gcc-aarch64-linux-gnu
-
 RUN --mount=type=bind,target=/go/src/goauthentik.io/go.mod,src=./go.mod \
    --mount=type=bind,target=/go/src/goauthentik.io/go.sum,src=./go.sum \
    --mount=type=cache,target=/go/pkg/mod \
@ -78,11 +63,11 @@ COPY ./internal /go/src/goauthentik.io/internal
 COPY ./go.mod /go/src/goauthentik.io/go.mod
 COPY ./go.sum /go/src/goauthentik.io/go.sum

+ENV CGO_ENABLED=0
+
 RUN --mount=type=cache,sharing=locked,target=/go/pkg/mod \
    --mount=type=cache,id=go-build-$TARGETARCH$TARGETVARIANT,sharing=locked,target=/root/.cache/go-build \
-    if [ "$TARGETARCH" = "arm64" ]; then export CC=aarch64-linux-gnu-gcc && export CC_FOR_TARGET=gcc-aarch64-linux-gnu; fi && \
-    CGO_ENABLED=1 GOEXPERIMENT="systemcrypto" GOFLAGS="-tags=requirefips" GOARM="${TARGETVARIANT#v}" \
-    go build -o /go/authentik ./cmd/server
+    GOARM="${TARGETVARIANT#v}" go build -o /go/authentik ./cmd/server

 # Stage 4: MaxMind GeoIP
 FROM --platform=${BUILDPLATFORM} ghcr.io/maxmind/geoipupdate:v7.0.1 as geoip
@ -99,7 +84,7 @@ RUN --mount=type=secret,id=GEOIPUPDATE_ACCOUNT_ID \
    /bin/sh -c "/usr/bin/entry.sh || echo 'Failed to get GeoIP database, disabling'; exit 0"

 # Stage 5: Python dependencies
-FROM ghcr.io/goauthentik/fips-python:3.12.3-slim-bookworm-fips-full AS python-deps
+FROM docker.io/python:3.12.3-slim-bookworm AS python-deps

 WORKDIR /ak-root/poetry

@ -112,7 +97,7 @@ RUN rm -f /etc/apt/apt.conf.d/docker-clean; echo 'Binary::apt::APT::Keep-Downloa
 RUN --mount=type=cache,id=apt-$TARGETARCH$TARGETVARIANT,sharing=locked,target=/var/cache/apt \
    apt-get update && \
    # Required for installing pip packages
-    apt-get install -y --no-install-recommends build-essential pkg-config libpq-dev
+    apt-get install -y --no-install-recommends build-essential pkg-config libxmlsec1-dev zlib1g-dev libpq-dev

 RUN --mount=type=bind,target=./pyproject.toml,src=./pyproject.toml \
    --mount=type=bind,target=./poetry.lock,src=./poetry.lock \
@ -120,13 +105,12 @@ RUN --mount=type=bind,target=./pyproject.toml,src=./pyproject.toml \
    --mount=type=cache,target=/root/.cache/pypoetry \
    python -m venv /ak-root/venv/ && \
    bash -c "source ${VENV_PATH}/bin/activate && \
-    pip3 install --upgrade pip && \
-    pip3 install poetry && \
-    poetry install --only=main --no-ansi --no-interaction --no-root && \
-    pip install --force-reinstall /wheels/*"
+        pip3 install --upgrade pip && \
+        pip3 install poetry && \
+        poetry install --only=main --no-ansi --no-interaction --no-root"

 # Stage 6: Run
-FROM ghcr.io/goauthentik/fips-python:3.12.3-slim-bookworm-fips-full AS final-image
+FROM docker.io/python:3.12.3-slim-bookworm AS final-image

 ARG GIT_BUILD_HASH
 ARG VERSION
@ -143,7 +127,7 @@ WORKDIR /
 # We cannot cache this layer otherwise we'll end up with a bigger image
 RUN apt-get update && \
    # Required for runtime
-    apt-get install -y --no-install-recommends libpq5 libmaxminddb0 ca-certificates && \
+    apt-get install -y --no-install-recommends libpq5 openssl libxmlsec1-openssl libmaxminddb0 ca-certificates && \
    # Required for bootstrap & healtcheck
    apt-get install -y --no-install-recommends runit && \
    apt-get clean && \
@ -179,8 +163,6 @@ ENV TMPDIR=/dev/shm/ \
    VENV_PATH="/ak-root/venv" \
    POETRY_VIRTUALENVS_CREATE=false

-ENV GOFIPS=1
-
 HEALTHCHECK --interval=30s --timeout=30s --start-period=60s --retries=3 CMD [ "ak", "healthcheck" ]

 ENTRYPOINT [ "dumb-init", "--", "ak" ]
--- a/11
+++ b/11
@ -47,8 +47,8 @@ test-go:
 	go test -timeout 0 -v -race -cover ./...

 test-docker:  ## Run all tests in a docker-compose
-	echo "PG_PASS=$(shell openssl rand 32 | base64 -w 0)" >> .env
-	echo "AUTHENTIK_SECRET_KEY=$(shell openssl rand 32 | base64 -w 0)" >> .env
+	echo "PG_PASS=$(shell openssl rand 32 | base64)" >> .env
+	echo "AUTHENTIK_SECRET_KEY=$(shell openssl rand 32 | base64)" >> .env
 	docker compose pull -q
 	docker compose up --no-start
 	docker compose start postgresql redis
@ -60,11 +60,9 @@ test: ## Run the server tests and produce a coverage report (locally)
 	coverage html
 	coverage report

-lint-fix: lint-codespell  ## Lint and automatically fix errors in the python source code. Reports spelling errors.
+lint-fix:  ## Lint and automatically fix errors in the python source code. Reports spelling errors.
 	black $(PY_SOURCES)
 	ruff check --fix $(PY_SOURCES)
-
-lint-codespell:  ## Reports spelling errors.
 	codespell -w $(CODESPELL_ARGS)

 lint: ## Lint the python and golang sources
@ -241,7 +239,7 @@ website: website-lint-fix website-build  ## Automatically fix formatting issues
 website-install:
 	cd website && npm ci

-website-lint-fix: lint-codespell
+website-lint-fix:
 	cd website && npm run prettier

 website-build:
@ -255,7 +253,6 @@ website-watch:  ## Build and watch the documentation website, updating automatic
 #########################

 docker:  ## Build a docker image of the current source tree
-	mkdir -p ${GEN_API_TS}
 	DOCKER_BUILDKIT=1 docker build . --progress plain --tag ${DOCKER_IMAGE}

 #########################
--- a/SECURITY.md
+++ b/SECURITY.md
@ -18,10 +18,10 @@ Even if the issue is not a CVE, we still greatly appreciate your help in hardeni

 (.x being the latest patch release for each version)

-| Version  | Supported |
-| -------- | --------- |
-| 2024.4.x | ✅        |
-| 2024.6.x | ✅        |
+| Version   | Supported |
+| --------- | --------- |
+| 2023.10.x | ✅        |
+| 2024.2.x  | ✅        |

 ## Reporting a Vulnerability

--- a/authentik/init.py
+++ b/authentik/init.py
@ -2,7 +2,7 @@

 from os import environ

-__version__ = "2024.6.1"
+__version__ = "2024.4.2"
 ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"


--- a/authentik/admin/api/system.py
+++ b/authentik/admin/api/system.py
@ -2,21 +2,18 @@

 import platform
 from datetime import datetime
-from ssl import OPENSSL_VERSION
 from sys import version as python_version
 from typing import TypedDict

-from cryptography.hazmat.backends.openssl.backend import backend
 from django.utils.timezone import now
 from drf_spectacular.utils import extend_schema
+from gunicorn import version_info as gunicorn_version
 from rest_framework.fields import SerializerMethodField
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.views import APIView

-from authentik import get_full_version
 from authentik.core.api.utils import PassiveSerializer
-from authentik.enterprise.license import LicenseKey
 from authentik.lib.config import CONFIG
 from authentik.lib.utils.reflection import get_env
 from authentik.outposts.apps import MANAGED_OUTPOST
@ -28,13 +25,11 @@ class RuntimeDict(TypedDict):
    """Runtime information"""

    python_version: str
+    gunicorn_version: str
    environment: str
    architecture: str
    platform: str
    uname: str
-    openssl_version: str
-    openssl_fips_enabled: bool | None
-    authentik_version: str


 class SystemInfoSerializer(PassiveSerializer):
@ -69,15 +64,11 @@ class SystemInfoSerializer(PassiveSerializer):
    def get_runtime(self, request: Request) -> RuntimeDict:
        """Get versions"""
        return {
-            "architecture": platform.machine(),
-            "authentik_version": get_full_version(),
-            "environment": get_env(),
-            "openssl_fips_enabled": (
-                backend._fips_enabled if LicenseKey.get_total().is_valid() else None
-            ),
-            "openssl_version": OPENSSL_VERSION,
-            "platform": platform.platform(),
            "python_version": python_version,
+            "gunicorn_version": ".".join(str(x) for x in gunicorn_version),
+            "environment": get_env(),
+            "architecture": platform.machine(),
+            "platform": platform.platform(),
            "uname": " ".join(platform.uname()),
        }

--- a/authentik/api/templates/api/browser.html
+++ b/authentik/api/templates/api/browser.html
@ -1,13 +1,13 @@
 {% extends "base/skeleton.html" %}

-{% load authentik_core %}
+{% load static %}

 {% block title %}
 API Browser - {{ brand.branding_title }}
 {% endblock %}

 {% block head %}
-{% versioned_script "dist/standalone/api-browser/index-%v.js" %}
+<script src="{% static 'dist/standalone/api-browser/index.js' %}?version={{ version }}" type="module"></script>
 <meta name="theme-color" content="#151515" media="(prefers-color-scheme: light)">
 <meta name="theme-color" content="#151515" media="(prefers-color-scheme: dark)">
 {% endblock %}
--- a/authentik/blueprints/v1/common.py
+++ b/authentik/blueprints/v1/common.py
@ -75,7 +75,7 @@ class BlueprintEntry:
    _state: BlueprintEntryState = field(default_factory=BlueprintEntryState)

    def __post_init__(self, *args, **kwargs) -> None:
-        self.__tag_contexts: list[YAMLTagContext] = []
+        self.__tag_contexts: list["YAMLTagContext"] = []

    @staticmethod
    def from_model(model: SerializerModel, *extra_identifier_names: str) -> "BlueprintEntry":
--- a/authentik/blueprints/v1/importer.py
+++ b/authentik/blueprints/v1/importer.py
@ -39,14 +39,6 @@ from authentik.core.models import (
 )
 from authentik.enterprise.license import LicenseKey
 from authentik.enterprise.models import LicenseUsage
-from authentik.enterprise.providers.google_workspace.models import (
-    GoogleWorkspaceProviderGroup,
-    GoogleWorkspaceProviderUser,
-)
-from authentik.enterprise.providers.microsoft_entra.models import (
-    MicrosoftEntraProviderGroup,
-    MicrosoftEntraProviderUser,
-)
 from authentik.enterprise.providers.rac.models import ConnectionToken
 from authentik.events.logs import LogEvent, capture_logs
 from authentik.events.models import SystemTask
@ -58,7 +50,7 @@ from authentik.outposts.models import OutpostServiceConnection
 from authentik.policies.models import Policy, PolicyBindingModel
 from authentik.policies.reputation.models import Reputation
 from authentik.providers.oauth2.models import AccessToken, AuthorizationCode, RefreshToken
-from authentik.providers.scim.models import SCIMProviderGroup, SCIMProviderUser
+from authentik.providers.scim.models import SCIMGroup, SCIMUser
 from authentik.sources.scim.models import SCIMSourceGroup, SCIMSourceUser
 from authentik.stages.authenticator_webauthn.models import WebAuthnDeviceType
 from authentik.tenants.models import Tenant
@ -94,11 +86,10 @@ def excluded_models() -> list[type[Model]]:
        # Classes that have other dependencies
        AuthenticatedSession,
        # Classes which are only internally managed
-        # FIXME: these shouldn't need to be explicitly listed, but rather based off of a mixin
        FlowToken,
        LicenseUsage,
-        SCIMProviderGroup,
-        SCIMProviderUser,
+        SCIMGroup,
+        SCIMUser,
        Tenant,
        SystemTask,
        ConnectionToken,
@ -109,10 +100,6 @@ def excluded_models() -> list[type[Model]]:
        WebAuthnDeviceType,
        SCIMSourceUser,
        SCIMSourceGroup,
-        GoogleWorkspaceProviderUser,
-        GoogleWorkspaceProviderGroup,
-        MicrosoftEntraProviderUser,
-        MicrosoftEntraProviderGroup,
    )


--- a/authentik/brands/api.py
+++ b/authentik/brands/api.py
@ -11,20 +11,21 @@ from rest_framework.filters import OrderingFilter, SearchFilter
 from rest_framework.permissions import AllowAny
 from rest_framework.request import Request
 from rest_framework.response import Response
+from rest_framework.serializers import ModelSerializer
 from rest_framework.validators import UniqueValidator
 from rest_framework.viewsets import ModelViewSet

 from authentik.api.authorization import SecretKeyFilter
 from authentik.brands.models import Brand
 from authentik.core.api.used_by import UsedByMixin
-from authentik.core.api.utils import ModelSerializer, PassiveSerializer
+from authentik.core.api.utils import PassiveSerializer
 from authentik.tenants.utils import get_current_tenant


 class FooterLinkSerializer(PassiveSerializer):
    """Links returned in Config API"""

-    href = CharField(read_only=True, allow_null=True)
+    href = CharField(read_only=True)
    name = CharField(read_only=True)


--- a/authentik/core/api/applications.py
+++ b/authentik/core/api/applications.py
@ -17,6 +17,7 @@ from rest_framework.fields import CharField, ReadOnlyField, SerializerMethodFiel
 from rest_framework.parsers import MultiPartParser
 from rest_framework.request import Request
 from rest_framework.response import Response
+from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import ModelViewSet
 from structlog.stdlib import get_logger

@ -25,7 +26,6 @@ from authentik.api.pagination import Pagination
 from authentik.blueprints.v1.importer import SERIALIZER_CONTEXT_BLUEPRINT
 from authentik.core.api.providers import ProviderSerializer
 from authentik.core.api.used_by import UsedByMixin
-from authentik.core.api.utils import ModelSerializer
 from authentik.core.models import Application, User
 from authentik.events.logs import LogEventSerializer, capture_logs
 from authentik.events.models import EventAction
@ -103,7 +103,7 @@ class ApplicationSerializer(ModelSerializer):
 class ApplicationViewSet(UsedByMixin, ModelViewSet):
    """Application Viewset"""

-    queryset = Application.objects.all().prefetch_related("provider").prefetch_related("policies")
+    queryset = Application.objects.all().prefetch_related("provider")
    serializer_class = ApplicationSerializer
    search_fields = [
        "name",
--- a/authentik/core/api/authenticated_sessions.py
+++ b/authentik/core/api/authenticated_sessions.py
@ -8,12 +8,12 @@ from rest_framework import mixins
 from rest_framework.fields import SerializerMethodField
 from rest_framework.filters import OrderingFilter, SearchFilter
 from rest_framework.request import Request
+from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import GenericViewSet
 from ua_parser import user_agent_parser

 from authentik.api.authorization import OwnerSuperuserPermissions
 from authentik.core.api.used_by import UsedByMixin
-from authentik.core.api.utils import ModelSerializer
 from authentik.core.models import AuthenticatedSession
 from authentik.events.context_processors.asn import ASN_CONTEXT_PROCESSOR, ASNDict
 from authentik.events.context_processors.geoip import GEOIP_CONTEXT_PROCESSOR, GeoIPDict
--- a/authentik/core/api/groups.py
+++ b/authentik/core/api/groups.py
@ -2,7 +2,6 @@

 from json import loads

-from django.db.models import Prefetch
 from django.http import Http404
 from django_filters.filters import CharFilter, ModelMultipleChoiceFilter
 from django_filters.filterset import FilterSet
@ -17,12 +16,12 @@ from rest_framework.decorators import action
 from rest_framework.fields import CharField, IntegerField, SerializerMethodField
 from rest_framework.request import Request
 from rest_framework.response import Response
-from rest_framework.serializers import ListSerializer, ValidationError
+from rest_framework.serializers import ListSerializer, ModelSerializer, ValidationError
 from rest_framework.validators import UniqueValidator
 from rest_framework.viewsets import ModelViewSet

 from authentik.core.api.used_by import UsedByMixin
-from authentik.core.api.utils import JSONDictField, ModelSerializer, PassiveSerializer
+from authentik.core.api.utils import JSONDictField, PassiveSerializer
 from authentik.core.models import Group, User
 from authentik.rbac.api.roles import RoleSerializer
 from authentik.rbac.decorators import permission_required
@ -167,14 +166,8 @@ class GroupViewSet(UsedByMixin, ModelViewSet):

    def get_queryset(self):
        base_qs = Group.objects.all().select_related("parent").prefetch_related("roles")
-
        if self.serializer_class(context={"request": self.request})._should_include_users:
            base_qs = base_qs.prefetch_related("users")
-        else:
-            base_qs = base_qs.prefetch_related(
-                Prefetch("users", queryset=User.objects.all().only("id"))
-            )
-
        return base_qs

    @extend_schema(
@ -185,14 +178,6 @@ class GroupViewSet(UsedByMixin, ModelViewSet):
    def list(self, request, *args, **kwargs):
        return super().list(request, *args, **kwargs)

-    @extend_schema(
-        parameters=[
-            OpenApiParameter("include_users", bool, default=True),
-        ]
-    )
-    def retrieve(self, request, *args, **kwargs):
-        return super().retrieve(request, *args, **kwargs)
-
    @permission_required("authentik_core.add_user_to_group")
    @extend_schema(
        request=UserAccountSerializer,
--- a/authentik/core/api/object_types.py
+++ b/authentik/core/api/object_types.py
@ -1,79 +0,0 @@
-"""API Utilities"""
-
-from drf_spectacular.utils import extend_schema
-from rest_framework.decorators import action
-from rest_framework.fields import (
-    BooleanField,
-    CharField,
-)
-from rest_framework.request import Request
-from rest_framework.response import Response
-
-from authentik.core.api.utils import PassiveSerializer
-from authentik.enterprise.apps import EnterpriseConfig
-from authentik.lib.utils.reflection import all_subclasses
-
-
-class TypeCreateSerializer(PassiveSerializer):
-    """Types of an object that can be created"""
-
-    name = CharField(required=True)
-    description = CharField(required=True)
-    component = CharField(required=True)
-    model_name = CharField(required=True)
-
-    icon_url = CharField(required=False)
-    requires_enterprise = BooleanField(default=False)
-
-
-class CreatableType:
-    """Class to inherit from to mark a model as creatable, even if the model itself is marked
-    as abstract"""
-
-
-class NonCreatableType:
-    """Class to inherit from to mark a model as non-creatable even if it is not abstract"""
-
-
-class TypesMixin:
-    """Mixin which adds an API endpoint to list all possible types that can be created"""
-
-    @extend_schema(responses={200: TypeCreateSerializer(many=True)})
-    @action(detail=False, pagination_class=None, filter_backends=[])
-    def types(self, request: Request, additional: list[dict] | None = None) -> Response:
-        """Get all creatable types"""
-        data = []
-        for subclass in all_subclasses(self.queryset.model):
-            instance = None
-            if subclass._meta.abstract:
-                if not issubclass(subclass, CreatableType):
-                    continue
-                # Circumvent the django protection for not being able to instantiate
-                # abstract models. We need a model instance to access .component
-                # and further down .icon_url
-                instance = subclass.__new__(subclass)
-                # Django re-sets abstract = False so we need to override that
-                instance.Meta.abstract = True
-            else:
-                if issubclass(subclass, NonCreatableType):
-                    continue
-                instance = subclass()
-            try:
-                data.append(
-                    {
-                        "name": subclass._meta.verbose_name,
-                        "description": subclass.__doc__,
-                        "component": instance.component,
-                        "model_name": subclass._meta.model_name,
-                        "icon_url": getattr(instance, "icon_url", None),
-                        "requires_enterprise": isinstance(
-                            subclass._meta.app_config, EnterpriseConfig
-                        ),
-                    }
-                )
-            except NotImplementedError:
-                continue
-        if additional:
-            data.extend(additional)
-        data = sorted(data, key=lambda x: x["name"])
-        return Response(TypeCreateSerializer(data, many=True).data)
--- a/authentik/core/api/property_mappings.py
+++ b/authentik/core/api/property_mappings.py
@ -8,23 +8,19 @@ from guardian.shortcuts import get_objects_for_user
 from rest_framework import mixins
 from rest_framework.decorators import action
 from rest_framework.exceptions import PermissionDenied
-from rest_framework.fields import BooleanField, CharField, SerializerMethodField
-from rest_framework.relations import PrimaryKeyRelatedField
+from rest_framework.fields import BooleanField, CharField
 from rest_framework.request import Request
 from rest_framework.response import Response
+from rest_framework.serializers import ModelSerializer, SerializerMethodField
 from rest_framework.viewsets import GenericViewSet

 from authentik.blueprints.api import ManagedSerializer
-from authentik.core.api.object_types import TypesMixin
 from authentik.core.api.used_by import UsedByMixin
-from authentik.core.api.utils import (
-    MetaNameSerializer,
-    ModelSerializer,
-    PassiveSerializer,
-)
+from authentik.core.api.utils import MetaNameSerializer, PassiveSerializer, TypeCreateSerializer
 from authentik.core.expression.evaluator import PropertyMappingEvaluator
-from authentik.core.models import Group, PropertyMapping, User
+from authentik.core.models import PropertyMapping
 from authentik.events.utils import sanitize_item
+from authentik.lib.utils.reflection import all_subclasses
 from authentik.policies.api.exec import PolicyTestSerializer
 from authentik.rbac.decorators import permission_required

@ -68,7 +64,6 @@ class PropertyMappingSerializer(ManagedSerializer, ModelSerializer, MetaNameSeri


 class PropertyMappingViewSet(
-    TypesMixin,
    mixins.RetrieveModelMixin,
    mixins.DestroyModelMixin,
    UsedByMixin,
@ -77,15 +72,7 @@ class PropertyMappingViewSet(
 ):
    """PropertyMapping Viewset"""

-    class PropertyMappingTestSerializer(PolicyTestSerializer):
-        """Test property mapping execution for a user/group with context"""
-
-        user = PrimaryKeyRelatedField(queryset=User.objects.all(), required=False, allow_null=True)
-        group = PrimaryKeyRelatedField(
-            queryset=Group.objects.all(), required=False, allow_null=True
-        )
-
-    queryset = PropertyMapping.objects.select_subclasses()
+    queryset = PropertyMapping.objects.none()
    serializer_class = PropertyMappingSerializer
    search_fields = [
        "name",
@ -93,9 +80,29 @@ class PropertyMappingViewSet(
    filterset_fields = {"managed": ["isnull"]}
    ordering = ["name"]

+    def get_queryset(self):  # pragma: no cover
+        return PropertyMapping.objects.select_subclasses()
+
+    @extend_schema(responses={200: TypeCreateSerializer(many=True)})
+    @action(detail=False, pagination_class=None, filter_backends=[])
+    def types(self, request: Request) -> Response:
+        """Get all creatable property-mapping types"""
+        data = []
+        for subclass in all_subclasses(self.queryset.model):
+            subclass: PropertyMapping
+            data.append(
+                {
+                    "name": subclass._meta.verbose_name,
+                    "description": subclass.__doc__,
+                    "component": subclass().component,
+                    "model_name": subclass._meta.model_name,
+                }
+            )
+        return Response(TypeCreateSerializer(data, many=True).data)
+
    @permission_required("authentik_core.view_propertymapping")
    @extend_schema(
-        request=PropertyMappingTestSerializer(),
+        request=PolicyTestSerializer(),
        responses={
            200: PropertyMappingTestResultSerializer,
            400: OpenApiResponse(description="Invalid parameters"),
@ -113,39 +120,29 @@ class PropertyMappingViewSet(
        """Test Property Mapping"""
        _mapping: PropertyMapping = self.get_object()
        # Use `get_subclass` to get correct class and correct `.evaluate` implementation
-        mapping: PropertyMapping = PropertyMapping.objects.get_subclass(pk=_mapping.pk)
+        mapping = PropertyMapping.objects.get_subclass(pk=_mapping.pk)
        # FIXME: when we separate policy mappings between ones for sources
        # and ones for providers, we need to make the user field optional for the source mapping
-        test_params = self.PropertyMappingTestSerializer(data=request.data)
+        test_params = PolicyTestSerializer(data=request.data)
        if not test_params.is_valid():
            return Response(test_params.errors, status=400)

        format_result = str(request.GET.get("format_result", "false")).lower() == "true"

-        context: dict = test_params.validated_data.get("context", {})
-        context.setdefault("user", None)
-
-        if user := test_params.validated_data.get("user"):
-            # User permission check, only allow mapping testing for users that are readable
-            users = get_objects_for_user(request.user, "authentik_core.view_user").filter(
-                pk=user.pk
-            )
-            if not users.exists():
-                raise PermissionDenied()
-            context["user"] = user
-        if group := test_params.validated_data.get("group"):
-            # Group permission check, only allow mapping testing for groups that are readable
-            groups = get_objects_for_user(request.user, "authentik_core.view_group").filter(
-                pk=group.pk
-            )
-            if not groups.exists():
-                raise PermissionDenied()
-            context["group"] = group
-        context["request"] = self.request
+        # User permission check, only allow mapping testing for users that are readable
+        users = get_objects_for_user(request.user, "authentik_core.view_user").filter(
+            pk=test_params.validated_data["user"].pk
+        )
+        if not users.exists():
+            raise PermissionDenied()

        response_data = {"successful": True, "result": ""}
        try:
-            result = mapping.evaluate(**context)
+            result = mapping.evaluate(
+                users.first(),
+                self.request,
+                **test_params.validated_data.get("context", {}),
+            )
            response_data["result"] = dumps(
                sanitize_item(result), indent=(4 if format_result else None)
            )
--- a/authentik/core/api/providers.py
+++ b/authentik/core/api/providers.py
@ -5,14 +5,20 @@ from django.db.models.query import Q
 from django.utils.translation import gettext_lazy as _
 from django_filters.filters import BooleanFilter
 from django_filters.filterset import FilterSet
+from drf_spectacular.utils import extend_schema
 from rest_framework import mixins
-from rest_framework.fields import ReadOnlyField, SerializerMethodField
+from rest_framework.decorators import action
+from rest_framework.fields import ReadOnlyField
+from rest_framework.request import Request
+from rest_framework.response import Response
+from rest_framework.serializers import ModelSerializer, SerializerMethodField
 from rest_framework.viewsets import GenericViewSet

-from authentik.core.api.object_types import TypesMixin
 from authentik.core.api.used_by import UsedByMixin
-from authentik.core.api.utils import MetaNameSerializer, ModelSerializer
+from authentik.core.api.utils import MetaNameSerializer, TypeCreateSerializer
 from authentik.core.models import Provider
+from authentik.enterprise.apps import EnterpriseConfig
+from authentik.lib.utils.reflection import all_subclasses


 class ProviderSerializer(ModelSerializer, MetaNameSerializer):
@ -57,12 +63,8 @@ class ProviderFilter(FilterSet):
    """Filter for providers"""

    application__isnull = BooleanFilter(method="filter_application__isnull")
-    backchannel = BooleanFilter(
-        method="filter_backchannel",
-        label=_(
-            "When not set all providers are returned. When set to true, only backchannel "
-            "providers are returned. When set to false, backchannel providers are excluded"
-        ),
+    backchannel_only = BooleanFilter(
+        method="filter_backchannel_only",
    )

    def filter_application__isnull(self, queryset: QuerySet, name, value):
@ -73,14 +75,12 @@ class ProviderFilter(FilterSet):
            | Q(application__isnull=value)
        )

-    def filter_backchannel(self, queryset: QuerySet, name, value):
-        """By default all providers are returned. When set to true, only backchannel providers are
-        returned. When set to false, backchannel providers are excluded"""
+    def filter_backchannel_only(self, queryset: QuerySet, name, value):
+        """Only return backchannel providers"""
        return queryset.filter(is_backchannel=value)


 class ProviderViewSet(
-    TypesMixin,
    mixins.RetrieveModelMixin,
    mixins.DestroyModelMixin,
    UsedByMixin,
@ -99,3 +99,31 @@ class ProviderViewSet(

    def get_queryset(self):  # pragma: no cover
        return Provider.objects.select_subclasses()
+
+    @extend_schema(responses={200: TypeCreateSerializer(many=True)})
+    @action(detail=False, pagination_class=None, filter_backends=[])
+    def types(self, request: Request) -> Response:
+        """Get all creatable provider types"""
+        data = []
+        for subclass in all_subclasses(self.queryset.model):
+            subclass: Provider
+            if subclass._meta.abstract:
+                continue
+            data.append(
+                {
+                    "name": subclass._meta.verbose_name,
+                    "description": subclass.__doc__,
+                    "component": subclass().component,
+                    "model_name": subclass._meta.model_name,
+                    "requires_enterprise": isinstance(subclass._meta.app_config, EnterpriseConfig),
+                }
+            )
+        data.append(
+            {
+                "name": _("SAML Provider from Metadata"),
+                "description": _("Create a SAML Provider by importing its Metadata."),
+                "component": "ak-provider-saml-import-form",
+                "model_name": "",
+            }
+        )
+        return Response(TypeCreateSerializer(data, many=True).data)
--- a/authentik/core/api/sources.py
+++ b/authentik/core/api/sources.py
@ -11,14 +11,14 @@ from rest_framework.filters import OrderingFilter, SearchFilter
 from rest_framework.parsers import MultiPartParser
 from rest_framework.request import Request
 from rest_framework.response import Response
+from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import GenericViewSet
 from structlog.stdlib import get_logger

 from authentik.api.authorization import OwnerFilter, OwnerSuperuserPermissions
 from authentik.blueprints.v1.importer import SERIALIZER_CONTEXT_BLUEPRINT
-from authentik.core.api.object_types import TypesMixin
 from authentik.core.api.used_by import UsedByMixin
-from authentik.core.api.utils import MetaNameSerializer, ModelSerializer
+from authentik.core.api.utils import MetaNameSerializer, TypeCreateSerializer
 from authentik.core.models import Source, UserSourceConnection
 from authentik.core.types import UserSettingSerializer
 from authentik.lib.utils.file import (
@ -27,6 +27,7 @@ from authentik.lib.utils.file import (
    set_file,
    set_file_url,
 )
+from authentik.lib.utils.reflection import all_subclasses
 from authentik.policies.engine import PolicyEngine
 from authentik.rbac.decorators import permission_required

@ -73,7 +74,6 @@ class SourceSerializer(ModelSerializer, MetaNameSerializer):


 class SourceViewSet(
-    TypesMixin,
    mixins.RetrieveModelMixin,
    mixins.DestroyModelMixin,
    UsedByMixin,
@ -132,6 +132,30 @@ class SourceViewSet(
        source: Source = self.get_object()
        return set_file_url(request, source, "icon")

+    @extend_schema(responses={200: TypeCreateSerializer(many=True)})
+    @action(detail=False, pagination_class=None, filter_backends=[])
+    def types(self, request: Request) -> Response:
+        """Get all creatable source types"""
+        data = []
+        for subclass in all_subclasses(self.queryset.model):
+            subclass: Source
+            component = ""
+            if len(subclass.__subclasses__()) > 0:
+                continue
+            if subclass._meta.abstract:
+                component = subclass.__bases__[0]().component
+            else:
+                component = subclass().component
+            data.append(
+                {
+                    "name": subclass._meta.verbose_name,
+                    "description": subclass.__doc__,
+                    "component": component,
+                    "model_name": subclass._meta.model_name,
+                }
+            )
+        return Response(TypeCreateSerializer(data, many=True).data)
+
    @extend_schema(responses={200: UserSettingSerializer(many=True)})
    @action(detail=False, pagination_class=None, filter_backends=[])
    def user_settings(self, request: Request) -> Response:
--- a/authentik/core/api/tokens.py
+++ b/authentik/core/api/tokens.py
@ -12,6 +12,7 @@ from rest_framework.fields import CharField
 from rest_framework.filters import OrderingFilter, SearchFilter
 from rest_framework.request import Request
 from rest_framework.response import Response
+from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import ModelViewSet

 from authentik.api.authorization import OwnerSuperuserPermissions
@ -19,7 +20,7 @@ from authentik.blueprints.api import ManagedSerializer
 from authentik.blueprints.v1.importer import SERIALIZER_CONTEXT_BLUEPRINT
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.users import UserSerializer
-from authentik.core.api.utils import ModelSerializer, PassiveSerializer
+from authentik.core.api.utils import PassiveSerializer
 from authentik.core.models import (
    USER_ATTRIBUTE_TOKEN_EXPIRING,
    USER_ATTRIBUTE_TOKEN_MAXIMUM_LIFETIME,
@ -44,13 +45,6 @@ class TokenSerializer(ManagedSerializer, ModelSerializer):
        if SERIALIZER_CONTEXT_BLUEPRINT in self.context:
            self.fields["key"] = CharField(required=False)

-    def validate_user(self, user: User):
-        """Ensure user of token cannot be changed"""
-        if self.instance and self.instance.user_id:
-            if user.pk != self.instance.user_id:
-                raise ValidationError("User cannot be changed")
-        return user
-
    def validate(self, attrs: dict[Any, str]) -> dict[Any, str]:
        """Ensure only API or App password tokens are created."""
        request: Request = self.context.get("request")
--- a/authentik/core/api/used_by.py
+++ b/authentik/core/api/used_by.py
@ -39,12 +39,12 @@ def get_delete_action(manager: Manager) -> str:
    """Get the delete action from the Foreign key, falls back to cascade"""
    if hasattr(manager, "field"):
        if manager.field.remote_field.on_delete.__name__ == SET_NULL.__name__:
-            return DeleteAction.SET_NULL.value
+            return DeleteAction.SET_NULL.name
        if manager.field.remote_field.on_delete.__name__ == SET_DEFAULT.__name__:
-            return DeleteAction.SET_DEFAULT.value
+            return DeleteAction.SET_DEFAULT.name
    if hasattr(manager, "source_field"):
-        return DeleteAction.CASCADE_MANY.value
-    return DeleteAction.CASCADE.value
+        return DeleteAction.CASCADE_MANY.name
+    return DeleteAction.CASCADE.name


 class UsedByMixin:
--- a/authentik/core/api/users.py
+++ b/authentik/core/api/users.py
@ -40,6 +40,7 @@ from rest_framework.serializers import (
    BooleanField,
    DateTimeField,
    ListSerializer,
+    ModelSerializer,
    PrimaryKeyRelatedField,
    ValidationError,
 )
@ -51,12 +52,7 @@ from authentik.admin.api.metrics import CoordinateSerializer
 from authentik.blueprints.v1.importer import SERIALIZER_CONTEXT_BLUEPRINT
 from authentik.brands.models import Brand
 from authentik.core.api.used_by import UsedByMixin
-from authentik.core.api.utils import (
-    JSONDictField,
-    LinkSerializer,
-    ModelSerializer,
-    PassiveSerializer,
-)
+from authentik.core.api.utils import JSONDictField, LinkSerializer, PassiveSerializer
 from authentik.core.middleware import (
    SESSION_KEY_IMPERSONATE_ORIGINAL_USER,
    SESSION_KEY_IMPERSONATE_USER,
--- a/authentik/core/api/utils.py
+++ b/authentik/core/api/utils.py
@ -6,19 +6,8 @@ from django.db.models import Model
 from drf_spectacular.extensions import OpenApiSerializerFieldExtension
 from drf_spectacular.plumbing import build_basic_type
 from drf_spectacular.types import OpenApiTypes
-from rest_framework.fields import (
-    CharField,
-    IntegerField,
-    JSONField,
-    SerializerMethodField,
-)
-from rest_framework.serializers import ModelSerializer as BaseModelSerializer
-from rest_framework.serializers import (
-    Serializer,
-    ValidationError,
-    model_meta,
-    raise_errors_on_nested_writes,
-)
+from rest_framework.fields import BooleanField, CharField, IntegerField, JSONField
+from rest_framework.serializers import Serializer, SerializerMethodField, ValidationError


 def is_dict(value: Any):
@ -28,39 +17,6 @@ def is_dict(value: Any):
    raise ValidationError("Value must be a dictionary, and not have any duplicate keys.")


-class ModelSerializer(BaseModelSerializer):
-
-    def update(self, instance: Model, validated_data):
-        raise_errors_on_nested_writes("update", self, validated_data)
-        info = model_meta.get_field_info(instance)
-
-        # Simply set each attribute on the instance, and then save it.
-        # Note that unlike `.create()` we don't need to treat many-to-many
-        # relationships as being a special case. During updates we already
-        # have an instance pk for the relationships to be associated with.
-        m2m_fields = []
-        for attr, value in validated_data.items():
-            if attr in info.relations and info.relations[attr].to_many:
-                m2m_fields.append((attr, value))
-            else:
-                setattr(instance, attr, value)
-
-        instance.save()
-
-        # Note that many-to-many fields are set after updating instance.
-        # Setting m2m fields triggers signals which could potentially change
-        # updated instance and we do not want it to collide with .update()
-        for attr, value in m2m_fields:
-            field = getattr(instance, attr)
-            # We can't check for inheritance here as m2m managers are generated dynamically
-            if field.__class__.__name__ == "RelatedManager":
-                field.set(value, bulk=False)
-            else:
-                field.set(value)
-
-        return instance
-
-
 class JSONDictField(JSONField):
    """JSON Field which only allows dictionaries"""

@ -112,6 +68,16 @@ class MetaNameSerializer(PassiveSerializer):
        return f"{obj._meta.app_label}.{obj._meta.model_name}"


+class TypeCreateSerializer(PassiveSerializer):
+    """Types of an object that can be created"""
+
+    name = CharField(required=True)
+    description = CharField(required=True)
+    component = CharField(required=True)
+    model_name = CharField(required=True)
+    requires_enterprise = BooleanField(default=False)
+
+
 class CacheSerializer(PassiveSerializer):
    """Generic cache stats for an object"""

--- a/authentik/core/auth.py
+++ b/authentik/core/auth.py
@ -31,9 +31,8 @@ class InbuiltBackend(ModelBackend):
        # Since we can't directly pass other variables to signals, and we want to log the method
        # and the token used, we assume we're running in a flow and set a variable in the context
        flow_plan: FlowPlan = request.session.get(SESSION_KEY_PLAN, FlowPlan(""))
-        flow_plan.context.setdefault(PLAN_CONTEXT_METHOD, method)
-        flow_plan.context.setdefault(PLAN_CONTEXT_METHOD_ARGS, {})
-        flow_plan.context[PLAN_CONTEXT_METHOD_ARGS].update(cleanse_dict(sanitize_dict(kwargs)))
+        flow_plan.context[PLAN_CONTEXT_METHOD] = method
+        flow_plan.context[PLAN_CONTEXT_METHOD_ARGS] = cleanse_dict(sanitize_dict(kwargs))
        request.session[SESSION_KEY_PLAN] = flow_plan


--- a/authentik/core/expression/evaluator.py
+++ b/authentik/core/expression/evaluator.py
@ -1,6 +1,5 @@
 """Property Mapping Evaluator"""

-from types import CodeType
 from typing import Any

 from django.db.models import Model
@ -25,8 +24,6 @@ class PropertyMappingEvaluator(BaseEvaluator):
    """Custom Evaluator that adds some different context variables."""

    dry_run: bool
-    model: Model
-    _compiled: CodeType | None = None

    def __init__(
        self,
@ -36,32 +33,23 @@ class PropertyMappingEvaluator(BaseEvaluator):
        dry_run: bool | None = False,
        **kwargs,
    ):
-        self.model = model
        if hasattr(model, "name"):
            _filename = model.name
        else:
            _filename = str(model)
        super().__init__(filename=_filename)
-        self.dry_run = dry_run
-        self.set_context(user, request, **kwargs)
-
-    def set_context(
-        self,
-        user: User | None = None,
-        request: HttpRequest | None = None,
-        **kwargs,
-    ):
        req = PolicyRequest(user=User())
-        req.obj = self.model
+        req.obj = model
        if user:
            req.user = user
            self._context["user"] = user
        if request:
            req.http_request = request
-        req.context.update(**kwargs)
        self._context["request"] = req
+        req.context.update(**kwargs)
        self._context.update(**kwargs)
        self._globals["SkipObject"] = SkipObjectException
+        self.dry_run = dry_run

    def handle_error(self, exc: Exception, expression_source: str):
        """Exception Handler"""
@ -76,19 +64,10 @@ class PropertyMappingEvaluator(BaseEvaluator):
        )
        if "request" in self._context:
            req: PolicyRequest = self._context["request"]
-            if req.http_request:
-                event.from_http(req.http_request, req.user)
-                return
-            elif req.user:
-                event.set_user(req.user)
+            event.from_http(req.http_request, req.user)
+            return
        event.save()

    def evaluate(self, *args, **kwargs) -> Any:
        with PROPERTY_MAPPING_TIME.labels(mapping_name=self._filename).time():
            return super().evaluate(*args, **kwargs)
-
-    def compile(self, expression: str | None = None) -> Any:
-        if not self._compiled:
-            compiled = super().compile(expression or self.model.expression)
-            self._compiled = compiled
-        return self._compiled
--- a/authentik/core/expression/exceptions.py
+++ b/authentik/core/expression/exceptions.py
@ -1,19 +1,13 @@
 """authentik core exceptions"""

-from authentik.lib.expression.exceptions import ControlFlowException
 from authentik.lib.sentry import SentryIgnoredException


 class PropertyMappingExpressionException(SentryIgnoredException):
    """Error when a PropertyMapping Exception expression could not be parsed or evaluated."""

-    def __init__(self, exc: Exception, mapping) -> None:
-        super().__init__()
-        self.exc = exc
-        self.mapping = mapping

-
-class SkipObjectException(ControlFlowException):
+class SkipObjectException(PropertyMappingExpressionException):
    """Exception which can be raised in a property mapping to skip syncing an object.
    Only applies to Property mappings which sync objects, and not on mappings which transitively
    apply to a single user"""
--- a/authentik/core/migrations/0029_provider_backchannel_applications_and_more.py
+++ b/authentik/core/migrations/0029_provider_backchannel_applications_and_more.py
@ -7,13 +7,12 @@ from django.db.backends.base.schema import BaseDatabaseSchemaEditor


 def backport_is_backchannel(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
-    db_alias = schema_editor.connection.alias
    from authentik.providers.ldap.models import LDAPProvider
    from authentik.providers.scim.models import SCIMProvider

    for model in [LDAPProvider, SCIMProvider]:
        try:
-            for obj in model.objects.using(db_alias).only("is_backchannel"):
+            for obj in model.objects.only("is_backchannel"):
                obj.is_backchannel = True
                obj.save()
        except (DatabaseError, InternalError, ProgrammingError):
--- a/authentik/core/models.py
+++ b/authentik/core/models.py
@ -15,7 +15,6 @@ from django.http import HttpRequest
 from django.utils.functional import SimpleLazyObject, cached_property
 from django.utils.timezone import now
 from django.utils.translation import gettext_lazy as _
-from django_cte import CTEQuerySet, With
 from guardian.conf import settings
 from guardian.mixins import GuardianUserMixin
 from model_utils.managers import InheritanceManager
@ -26,7 +25,6 @@ from authentik.blueprints.models import ManagedModel
 from authentik.core.expression.exceptions import PropertyMappingExpressionException
 from authentik.core.types import UILoginButton, UserSettingSerializer
 from authentik.lib.avatars import get_avatar
-from authentik.lib.expression.exceptions import ControlFlowException
 from authentik.lib.generators import generate_id
 from authentik.lib.models import (
    CreatedUpdatedModel,
@ -58,8 +56,6 @@ options.DEFAULT_NAMES = options.DEFAULT_NAMES + (
    "authentik_used_by_shadows",
 )

-GROUP_RECURSION_LIMIT = 20
-

 def default_token_duration() -> datetime:
    """Default duration a Token is valid"""
@ -100,40 +96,6 @@ class UserTypes(models.TextChoices):
    INTERNAL_SERVICE_ACCOUNT = "internal_service_account"


-class GroupQuerySet(CTEQuerySet):
-    def with_children_recursive(self):
-        """Recursively get all groups that have the current queryset as parents
-        or are indirectly related."""
-
-        def make_cte(cte):
-            """Build the query that ends up in WITH RECURSIVE"""
-            # Start from self, aka the current query
-            # Add a depth attribute to limit the recursion
-            return self.annotate(
-                relative_depth=models.Value(0, output_field=models.IntegerField())
-            ).union(
-                # Here is the recursive part of the query. cte refers to the previous iteration
-                # Only select groups for which the parent is part of the previous iteration
-                # and increase the depth
-                # Finally, limit the depth
-                cte.join(Group, group_uuid=cte.col.parent_id)
-                .annotate(
-                    relative_depth=models.ExpressionWrapper(
-                        cte.col.relative_depth
-                        + models.Value(1, output_field=models.IntegerField()),
-                        output_field=models.IntegerField(),
-                    )
-                )
-                .filter(relative_depth__lt=GROUP_RECURSION_LIMIT),
-                all=True,
-            )
-
-        # Build the recursive query, see above
-        cte = With.recursive(make_cte)
-        # Return the result, as a usable queryset for Group.
-        return cte.join(Group, group_uuid=cte.col.group_uuid).with_cte(cte)
-
-
 class Group(SerializerModel):
    """Group model which supports a basic hierarchy and has attributes"""

@ -156,8 +118,6 @@ class Group(SerializerModel):
    )
    attributes = models.JSONField(default=dict, blank=True)

-    objects = GroupQuerySet.as_manager()
-
    @property
    def serializer(self) -> Serializer:
        from authentik.core.api.groups import GroupSerializer
@ -176,11 +136,36 @@ class Group(SerializerModel):
        return user.all_groups().filter(group_uuid=self.group_uuid).exists()

    def children_recursive(self: Self | QuerySet["Group"]) -> QuerySet["Group"]:
-        """Compatibility layer for Group.objects.with_children_recursive()"""
-        qs = self
-        if not isinstance(self, QuerySet):
-            qs = Group.objects.filter(group_uuid=self.group_uuid)
-        return qs.with_children_recursive()
+        """Recursively get all groups that have this as parent or are indirectly related"""
+        direct_groups = []
+        if isinstance(self, QuerySet):
+            direct_groups = list(x for x in self.all().values_list("pk", flat=True).iterator())
+        else:
+            direct_groups = [self.pk]
+        if len(direct_groups) < 1:
+            return Group.objects.none()
+        query = """
+        WITH RECURSIVE parents AS (
+            SELECT authentik_core_group.*, 0 AS relative_depth
+            FROM authentik_core_group
+            WHERE authentik_core_group.group_uuid = ANY(%s)
+
+            UNION ALL
+
+            SELECT authentik_core_group.*, parents.relative_depth + 1
+            FROM authentik_core_group, parents
+            WHERE (
+                authentik_core_group.group_uuid = parents.parent_id and
+                parents.relative_depth < 20
+            )
+        )
+        SELECT group_uuid
+        FROM parents
+        GROUP BY group_uuid, name
+        ORDER BY name;
+        """
+        group_pks = [group.pk for group in Group.objects.raw(query, [direct_groups]).iterator()]
+        return Group.objects.filter(pk__in=group_pks)

    def __str__(self):
        return f"Group {self.name}"
@ -247,8 +232,10 @@ class User(SerializerModel, GuardianUserMixin, AbstractUser):
        return User._meta.get_field("path").default

    def all_groups(self) -> QuerySet[Group]:
-        """Recursively get all groups this user is a member of."""
-        return self.ak_groups.all().with_children_recursive()
+        """Recursively get all groups this user is a member of.
+        At least one query is done to get the direct groups of the user, with groups
+        there are at most 3 queries done"""
+        return Group.children_recursive(self.ak_groups.all())

    def group_attributes(self, request: HttpRequest | None = None) -> dict[str, Any]:
        """Get a dictionary containing the attributes from all groups the user belongs to,
@ -390,10 +377,6 @@ class Provider(SerializerModel):
        Can return None for providers that are not URL-based"""
        return None

-    @property
-    def icon_url(self) -> str | None:
-        return None
-
    @property
    def component(self) -> str:
        """Return component used to edit this object"""
@ -784,10 +767,8 @@ class PropertyMapping(SerializerModel, ManagedModel):
        evaluator = PropertyMappingEvaluator(self, user, request, **kwargs)
        try:
            return evaluator.evaluate(self.expression)
-        except ControlFlowException as exc:
-            raise exc
        except Exception as exc:
-            raise PropertyMappingExpressionException(self, exc) from exc
+            raise PropertyMappingExpressionException(exc) from exc

    def __str__(self):
        return f"Property Mapping {self.name}"
--- a/authentik/core/sources/flow_manager.py
+++ b/authentik/core/sources/flow_manager.py
@ -13,7 +13,7 @@ from django.utils.translation import gettext as _
 from structlog.stdlib import get_logger

 from authentik.core.models import Source, SourceUserMatchingModes, User, UserSourceConnection
-from authentik.core.sources.stage import PLAN_CONTEXT_SOURCES_CONNECTION, PostSourceStage
+from authentik.core.sources.stage import PLAN_CONTEXT_SOURCES_CONNECTION, PostUserEnrollmentStage
 from authentik.events.models import Event, EventAction
 from authentik.flows.exceptions import FlowNonApplicableException
 from authentik.flows.models import Flow, FlowToken, Stage, in_memory_stage
@ -206,13 +206,17 @@ class SourceFlowManager:

    def get_stages_to_append(self, flow: Flow) -> list[Stage]:
        """Hook to override stages which are appended to the flow"""
-        return [
-            in_memory_stage(PostSourceStage),
-        ]
+        if not self.source.enrollment_flow:
+            return []
+        if flow.slug == self.source.enrollment_flow.slug:
+            return [
+                in_memory_stage(PostUserEnrollmentStage),
+            ]
+        return []

    def _prepare_flow(
        self,
-        flow: Flow | None,
+        flow: Flow,
        connection: UserSourceConnection,
        stages: list[StageView] | None = None,
        **kwargs,
@ -262,9 +266,6 @@ class SourceFlowManager:
            )
        # We run the Flow planner here so we can pass the Pending user in the context
        planner = FlowPlanner(flow)
-        # We append some stages so the initial flow we get might be empty
-        planner.allow_empty_flows = True
-        planner.use_cache = False
        plan = planner.plan(self.request, kwargs)
        for stage in self.get_stages_to_append(flow):
            plan.append_stage(stage)
@ -309,9 +310,7 @@ class SourceFlowManager:
        # When request isn't authenticated we jump straight to auth
        if not self.request.user.is_authenticated:
            return self.handle_auth(connection)
-        if SESSION_KEY_OVERRIDE_FLOW_TOKEN in self.request.session:
-            return self._prepare_flow(None, connection)
-        connection.save()
+        # Connection has already been saved
        Event.new(
            EventAction.SOURCE_LINKED,
            message="Linked Source",
@ -325,7 +324,7 @@ class SourceFlowManager:
            reverse(
                "authentik_core:if-user",
            )
-            + "#/settings;page-sources"
+            + f"#/settings;page-{self.source.slug}"
        )

    def handle_enroll(
--- a/authentik/core/sources/stage.py
+++ b/authentik/core/sources/stage.py
@ -10,7 +10,7 @@ from authentik.flows.stage import StageView
 PLAN_CONTEXT_SOURCES_CONNECTION = "goauthentik.io/sources/connection"


-class PostSourceStage(StageView):
+class PostUserEnrollmentStage(StageView):
    """Dynamically injected stage which saves the Connection after
    the user has been enrolled."""

@ -21,12 +21,10 @@ class PostSourceStage(StageView):
        ]
        user: User = self.executor.plan.context[PLAN_CONTEXT_PENDING_USER]
        connection.user = user
-        linked = connection.pk is None
        connection.save()
-        if linked:
-            Event.new(
-                EventAction.SOURCE_LINKED,
-                message="Linked Source",
-                source=connection.source,
-            ).from_http(self.request)
+        Event.new(
+            EventAction.SOURCE_LINKED,
+            message="Linked Source",
+            source=connection.source,
+        ).from_http(self.request)
        return self.executor.stage_ok()
--- a/authentik/core/templates/base/header_js.html
+++ b/authentik/core/templates/base/header_js.html
@ -10,7 +10,7 @@
        versionSubdomain: "{{ version_subdomain }}",
        build: "{{ build }}",
    };
-    window.addEventListener("DOMContentLoaded", function () {
+    window.addEventListener("DOMContentLoaded", () => {
        {% for message in messages %}
        window.dispatchEvent(
            new CustomEvent("ak-message", {
--- a/authentik/core/templates/base/skeleton.html
+++ b/authentik/core/templates/base/skeleton.html
@ -1,6 +1,5 @@
 {% load static %}
 {% load i18n %}
-{% load authentik_core %}

 <!DOCTYPE html>

@ -15,8 +14,8 @@
        {% endblock %}
        <link rel="stylesheet" type="text/css" href="{% static 'dist/authentik.css' %}">
        <link rel="stylesheet" type="text/css" href="{% static 'dist/custom.css' %}" data-inject>
-        {% versioned_script "dist/poly-%v.js" %}
-        {% versioned_script "dist/standalone/loading/index-%v.js" %}
+        <script src="{% static 'dist/poly.js' %}?version={{ version }}" type="module"></script>
+        <script src="{% static 'dist/standalone/loading/index.js' %}?version={{ version }}" type="module"></script>
        {% block head %}
        {% endblock %}
        <meta name="sentry-trace" content="{{ sentry_trace }}" />
--- a/authentik/core/templates/if/admin.html
+++ b/authentik/core/templates/if/admin.html
@ -1,9 +1,9 @@
 {% extends "base/skeleton.html" %}

-{% load authentik_core %}
+{% load static %}

 {% block head %}
-{% versioned_script "dist/admin/AdminInterface-%v.js" %}
+<script src="{% static 'dist/admin/AdminInterface.js' %}?version={{ version }}" type="module"></script>
 <meta name="theme-color" content="#18191a" media="(prefers-color-scheme: dark)">
 <meta name="theme-color" content="#ffffff" media="(prefers-color-scheme: light)">
 {% include "base/header_js.html" %}
--- a/authentik/flows/templates/if/flow.html
+++ b/authentik/flows/templates/if/flow.html
@ -1,7 +1,6 @@
 {% extends "base/skeleton.html" %}

 {% load static %}
-{% load authentik_core %}

 {% block head_before %}
 {{ block.super }}
@ -18,7 +17,7 @@ window.authentik.flow = {
 {% endblock %}

 {% block head %}
-{% versioned_script "dist/flow/FlowInterface-%v.js" %}
+<script src="{% static 'dist/flow/FlowInterface.js' %}?version={{ version }}" type="module"></script>
 <style>
 :root {
    --ak-flow-background: url("{{ flow.background_url }}");
--- a/authentik/core/templates/if/user.html
+++ b/authentik/core/templates/if/user.html
@ -1,9 +1,9 @@
 {% extends "base/skeleton.html" %}

-{% load authentik_core %}
+{% load static %}

 {% block head %}
-{% versioned_script "dist/user/UserInterface-%v.js" %}
+<script src="{% static 'dist/user/UserInterface.js' %}?version={{ version }}" type="module"></script>
 <meta name="theme-color" content="#1c1e21" media="(prefers-color-scheme: light)">
 <meta name="theme-color" content="#1c1e21" media="(prefers-color-scheme: dark)">
 {% include "base/header_js.html" %}
--- a/authentik/core/templates/login/base_full.html
+++ b/authentik/core/templates/login/base_full.html
@ -71,9 +71,9 @@
                </li>
                {% endfor %}
                <li>
-                    <span>
+                    <a href="https://goauthentik.io?utm_source=authentik">
                        {% trans 'Powered by authentik' %}
-                    </span>
+                    </a>
                </li>
            </ul>
        </footer>
--- a/authentik/core/templatetags/init.py
+++ b/authentik/core/templatetags/init.py
--- a/authentik/core/templatetags/authentik_core.py
+++ b/authentik/core/templatetags/authentik_core.py
@ -1,21 +0,0 @@
-"""authentik core tags"""
-
-from django import template
-from django.templatetags.static import static as static_loader
-from django.utils.safestring import mark_safe
-
-from authentik import get_full_version
-
-register = template.Library()
-
-
-@register.simple_tag()
-def versioned_script(path: str) -> str:
-    """Wrapper around {% static %} tag that supports setting the version"""
-    returned_lines = [
-        (
-            f'<script src="{static_loader(path.replace("%v", get_full_version()))}'
-            '" type="module"></script>'
-        ),
-    ]
-    return mark_safe("".join(returned_lines))  # nosec
--- a/authentik/core/tests/test_groups_api.py
+++ b/authentik/core/tests/test_groups_api.py
@ -23,17 +23,6 @@ class TestGroupsAPI(APITestCase):
        response = self.client.get(reverse("authentik_api:group-list"), {"include_users": "true"})
        self.assertEqual(response.status_code, 200)

-    def test_retrieve_with_users(self):
-        """Test retrieve with users"""
-        admin = create_test_admin_user()
-        group = Group.objects.create(name=generate_id())
-        self.client.force_login(admin)
-        response = self.client.get(
-            reverse("authentik_api:group-detail", kwargs={"pk": group.pk}),
-            {"include_users": "true"},
-        )
-        self.assertEqual(response.status_code, 200)
-
    def test_add_user(self):
        """Test add_user"""
        group = Group.objects.create(name=generate_id())
--- a/authentik/core/tests/test_models.py
+++ b/authentik/core/tests/test_models.py
@ -1,14 +1,14 @@
 """authentik core models tests"""

 from collections.abc import Callable
-from datetime import timedelta
+from time import sleep

 from django.test import RequestFactory, TestCase
 from django.utils.timezone import now
-from freezegun import freeze_time
 from guardian.shortcuts import get_anonymous_user

 from authentik.core.models import Provider, Source, Token
+from authentik.flows.models import Stage
 from authentik.lib.utils.reflection import all_subclasses


@ -17,20 +17,18 @@ class TestModels(TestCase):

    def test_token_expire(self):
        """Test token expiring"""
-        with freeze_time() as freeze:
-            token = Token.objects.create(expires=now(), user=get_anonymous_user())
-            freeze.tick(timedelta(seconds=1))
-            self.assertTrue(token.is_expired)
+        token = Token.objects.create(expires=now(), user=get_anonymous_user())
+        sleep(0.5)
+        self.assertTrue(token.is_expired)

    def test_token_expire_no_expire(self):
        """Test token expiring with "expiring" set"""
-        with freeze_time() as freeze:
-            token = Token.objects.create(expires=now(), user=get_anonymous_user(), expiring=False)
-            freeze.tick(timedelta(seconds=1))
-            self.assertFalse(token.is_expired)
+        token = Token.objects.create(expires=now(), user=get_anonymous_user(), expiring=False)
+        sleep(0.5)
+        self.assertFalse(token.is_expired)


-def source_tester_factory(test_model: type[Source]) -> Callable:
+def source_tester_factory(test_model: type[Stage]) -> Callable:
    """Test source"""

    factory = RequestFactory()
@ -38,19 +36,19 @@ def source_tester_factory(test_model: type[Source]) -> Callable:

    def tester(self: TestModels):
        model_class = None
-        if test_model._meta.abstract:
-            model_class = [x for x in test_model.__bases__ if issubclass(x, Source)][0]()
+        if test_model._meta.abstract:  # pragma: no cover
+            model_class = test_model.__bases__[0]()
        else:
            model_class = test_model()
        model_class.slug = "test"
        self.assertIsNotNone(model_class.component)
-        model_class.ui_login_button(request)
-        model_class.ui_user_settings()
+        _ = model_class.ui_login_button(request)
+        _ = model_class.ui_user_settings()

    return tester


-def provider_tester_factory(test_model: type[Provider]) -> Callable:
+def provider_tester_factory(test_model: type[Stage]) -> Callable:
    """Test provider"""

    def tester(self: TestModels):
--- a/authentik/core/tests/test_property_mapping.py
+++ b/authentik/core/tests/test_property_mapping.py
@ -3,10 +3,7 @@
 from django.test import RequestFactory, TestCase
 from guardian.shortcuts import get_anonymous_user

-from authentik.core.expression.exceptions import (
-    PropertyMappingExpressionException,
-    SkipObjectException,
-)
+from authentik.core.expression.exceptions import PropertyMappingExpressionException
 from authentik.core.models import PropertyMapping
 from authentik.core.tests.utils import create_test_admin_user
 from authentik.events.models import Event, EventAction
@ -45,17 +42,6 @@ class TestPropertyMappings(TestCase):
        self.assertTrue(events.exists())
        self.assertEqual(len(events), 1)

-    def test_expression_skip(self):
-        """Test expression error"""
-        expr = "raise SkipObject"
-        mapping = PropertyMapping.objects.create(name=generate_id(), expression=expr)
-        with self.assertRaises(SkipObjectException):
-            mapping.evaluate(None, None)
-        events = Event.objects.filter(
-            action=EventAction.PROPERTY_MAPPING_EXCEPTION, context__expression=expr
-        )
-        self.assertFalse(events.exists())
-
    def test_expression_error_extended(self):
        """Test expression error (with user and http request"""
        expr = "return aaa"
--- a/authentik/core/tests/test_property_mapping_api.py
+++ b/authentik/core/tests/test_property_mapping_api.py
@ -6,10 +6,9 @@ from django.urls import reverse
 from rest_framework.serializers import ValidationError
 from rest_framework.test import APITestCase

-from authentik.core.api.property_mappings import PropertyMappingSerializer
-from authentik.core.models import Group, PropertyMapping
+from authentik.core.api.propertymappings import PropertyMappingSerializer
+from authentik.core.models import PropertyMapping
 from authentik.core.tests.utils import create_test_admin_user
-from authentik.lib.generators import generate_id


 class TestPropertyMappingAPI(APITestCase):
@ -17,40 +16,23 @@ class TestPropertyMappingAPI(APITestCase):

    def setUp(self) -> None:
        super().setUp()
+        self.mapping = PropertyMapping.objects.create(
+            name="dummy", expression="""return {'foo': 'bar'}"""
+        )
        self.user = create_test_admin_user()
        self.client.force_login(self.user)

    def test_test_call(self):
-        """Test PropertyMappings's test endpoint"""
-        mapping = PropertyMapping.objects.create(
-            name="dummy", expression="""return {'foo': 'bar', 'baz': user.username}"""
-        )
+        """Test PropertMappings's test endpoint"""
        response = self.client.post(
-            reverse("authentik_api:propertymapping-test", kwargs={"pk": mapping.pk}),
+            reverse("authentik_api:propertymapping-test", kwargs={"pk": self.mapping.pk}),
            data={
                "user": self.user.pk,
            },
        )
        self.assertJSONEqual(
            response.content.decode(),
-            {"result": dumps({"foo": "bar", "baz": self.user.username}), "successful": True},
-        )
-
-    def test_test_call_group(self):
-        """Test PropertyMappings's test endpoint"""
-        mapping = PropertyMapping.objects.create(
-            name="dummy", expression="""return {'foo': 'bar', 'baz': group.name}"""
-        )
-        group = Group.objects.create(name=generate_id())
-        response = self.client.post(
-            reverse("authentik_api:propertymapping-test", kwargs={"pk": mapping.pk}),
-            data={
-                "group": group.pk,
-            },
-        )
-        self.assertJSONEqual(
-            response.content.decode(),
-            {"result": dumps({"foo": "bar", "baz": group.name}), "successful": True},
+            {"result": dumps({"foo": "bar"}), "successful": True},
        )

    def test_validate(self):
--- a/authentik/core/tests/test_source_flow_manager.py
+++ b/authentik/core/tests/test_source_flow_manager.py
@ -2,15 +2,11 @@

 from django.contrib.auth.models import AnonymousUser
 from django.test import TestCase
-from django.urls import reverse
 from guardian.utils import get_anonymous_user

 from authentik.core.models import SourceUserMatchingModes, User
 from authentik.core.sources.flow_manager import Action
-from authentik.core.sources.stage import PostSourceStage
 from authentik.core.tests.utils import create_test_flow
-from authentik.flows.planner import FlowPlan
-from authentik.flows.views.executor import SESSION_KEY_PLAN
 from authentik.lib.generators import generate_id
 from authentik.lib.tests.utils import get_request
 from authentik.policies.denied import AccessDeniedResponse
@ -25,55 +21,41 @@ class TestSourceFlowManager(TestCase):

    def setUp(self) -> None:
        super().setUp()
-        self.authentication_flow = create_test_flow()
-        self.enrollment_flow = create_test_flow()
-        self.source: OAuthSource = OAuthSource.objects.create(
-            name=generate_id(),
-            slug=generate_id(),
-            authentication_flow=self.authentication_flow,
-            enrollment_flow=self.enrollment_flow,
-        )
+        self.source: OAuthSource = OAuthSource.objects.create(name="test")
        self.identifier = generate_id()

    def test_unauthenticated_enroll(self):
        """Test un-authenticated user enrolling"""
-        request = get_request("/", user=AnonymousUser())
-        flow_manager = OAuthSourceFlowManager(self.source, request, self.identifier, {})
+        flow_manager = OAuthSourceFlowManager(
+            self.source, get_request("/", user=AnonymousUser()), self.identifier, {}
+        )
        action, _ = flow_manager.get_action()
        self.assertEqual(action, Action.ENROLL)
-        response = flow_manager.get_flow()
-        self.assertEqual(response.status_code, 302)
-        flow_plan: FlowPlan = request.session[SESSION_KEY_PLAN]
-        self.assertEqual(flow_plan.bindings[0].stage.view, PostSourceStage)
+        flow_manager.get_flow()

    def test_unauthenticated_auth(self):
        """Test un-authenticated user authenticating"""
        UserOAuthSourceConnection.objects.create(
            user=get_anonymous_user(), source=self.source, identifier=self.identifier
        )
-        request = get_request("/", user=AnonymousUser())
-        flow_manager = OAuthSourceFlowManager(self.source, request, self.identifier, {})
+
+        flow_manager = OAuthSourceFlowManager(
+            self.source, get_request("/", user=AnonymousUser()), self.identifier, {}
+        )
        action, _ = flow_manager.get_action()
        self.assertEqual(action, Action.AUTH)
-        response = flow_manager.get_flow()
-        self.assertEqual(response.status_code, 302)
-        flow_plan: FlowPlan = request.session[SESSION_KEY_PLAN]
-        self.assertEqual(flow_plan.bindings[0].stage.view, PostSourceStage)
+        flow_manager.get_flow()

    def test_authenticated_link(self):
        """Test authenticated user linking"""
        user = User.objects.create(username="foo", email="foo@bar.baz")
-        request = get_request("/", user=user)
-        flow_manager = OAuthSourceFlowManager(self.source, request, self.identifier, {})
+        flow_manager = OAuthSourceFlowManager(
+            self.source, get_request("/", user=user), self.identifier, {}
+        )
        action, connection = flow_manager.get_action()
        self.assertEqual(action, Action.LINK)
        self.assertIsNone(connection.pk)
-        response = flow_manager.get_flow()
-        self.assertEqual(response.status_code, 302)
-        self.assertEqual(
-            response.url,
-            reverse("authentik_core:if-user") + "#/settings;page-sources",
-        )
+        flow_manager.get_flow()

    def test_unauthenticated_link(self):
        """Test un-authenticated user linking"""
--- a/authentik/core/tests/test_token_api.py
+++ b/authentik/core/tests/test_token_api.py
@ -13,8 +13,9 @@ from authentik.core.models import (
    USER_ATTRIBUTE_TOKEN_MAXIMUM_LIFETIME,
    Token,
    TokenIntents,
+    User,
 )
-from authentik.core.tests.utils import create_test_admin_user, create_test_user
+from authentik.core.tests.utils import create_test_admin_user
 from authentik.lib.generators import generate_id


@ -23,7 +24,7 @@ class TestTokenAPI(APITestCase):

    def setUp(self) -> None:
        super().setUp()
-        self.user = create_test_user()
+        self.user = User.objects.create(username="testuser")
        self.admin = create_test_admin_user()
        self.client.force_login(self.user)

@ -153,24 +154,6 @@ class TestTokenAPI(APITestCase):
        self.assertEqual(token.expiring, True)
        self.assertNotEqual(token.expires.timestamp(), expires.timestamp())

-    def test_token_change_user(self):
-        """Test creating a token and then changing the user"""
-        ident = generate_id()
-        response = self.client.post(reverse("authentik_api:token-list"), {"identifier": ident})
-        self.assertEqual(response.status_code, 201)
-        token = Token.objects.get(identifier=ident)
-        self.assertEqual(token.user, self.user)
-        self.assertEqual(token.intent, TokenIntents.INTENT_API)
-        self.assertEqual(token.expiring, True)
-        self.assertTrue(self.user.has_perm("authentik_core.view_token_key", token))
-        response = self.client.put(
-            reverse("authentik_api:token-detail", kwargs={"identifier": ident}),
-            data={"identifier": "user_token_poc_v3", "intent": "api", "user": self.admin.pk},
-        )
-        self.assertEqual(response.status_code, 400)
-        token.refresh_from_db()
-        self.assertEqual(token.user, self.user)
-
    def test_list(self):
        """Test Token List (Test normal authentication)"""
        Token.objects.all().delete()
--- a/authentik/core/tests/test_users_avatars.py
+++ b/authentik/core/tests/test_users_avatars.py
@ -42,8 +42,8 @@ class TestUsersAvatars(APITestCase):
        with Mocker() as mocker:
            mocker.head(
                (
-                    "https://www.gravatar.com/avatar/76eb3c74c8beb6faa037f1b6e2ecb3e252bdac"
-                    "6cf71fb567ae36025a9d4ea86b?size=158&rating=g&default=404"
+                    "https://secure.gravatar.com/avatar/84730f9c1851d1ea03f1a"
+                    "a9ed85bd1ea?size=158&rating=g&default=404"
                ),
                text="foo",
            )
--- a/authentik/core/urls.py
+++ b/authentik/core/urls.py
@ -12,7 +12,7 @@ from authentik.core.api.applications import ApplicationViewSet
 from authentik.core.api.authenticated_sessions import AuthenticatedSessionViewSet
 from authentik.core.api.devices import AdminDeviceViewSet, DeviceViewSet
 from authentik.core.api.groups import GroupViewSet
-from authentik.core.api.property_mappings import PropertyMappingViewSet
+from authentik.core.api.propertymappings import PropertyMappingViewSet
 from authentik.core.api.providers import ProviderViewSet
 from authentik.core.api.sources import SourceViewSet, UserSourceConnectionViewSet
 from authentik.core.api.tokens import TokenViewSet
@ -20,9 +20,8 @@ from authentik.core.api.transactional_applications import TransactionalApplicati
 from authentik.core.api.users import UserViewSet
 from authentik.core.views import apps
 from authentik.core.views.debug import AccessDeniedView
-from authentik.core.views.interface import InterfaceView
+from authentik.core.views.interface import FlowInterfaceView, InterfaceView
 from authentik.core.views.session import EndSessionView
-from authentik.flows.views.interface import FlowInterfaceView
 from authentik.root.asgi_middleware import SessionMiddleware
 from authentik.root.messages.consumer import MessageConsumer
 from authentik.root.middleware import ChannelsLoggingMiddleware
@ -54,8 +53,6 @@ urlpatterns = [
    ),
    path(
        "if/flow/<slug:flow_slug>/",
-        # FIXME: move this url to the flows app...also will cause all
-        # of the reverse calls to be adjusted
        ensure_csrf_cookie(FlowInterfaceView.as_view()),
        name="if-flow",
    ),
--- a/authentik/core/views/apps.py
+++ b/authentik/core/views/apps.py
@ -8,6 +8,7 @@ from django.views import View
 from authentik.core.models import Application
 from authentik.flows.challenge import (
    ChallengeResponse,
+    ChallengeTypes,
    HttpChallengeResponse,
    RedirectChallenge,
 )
@ -73,6 +74,7 @@ class RedirectToAppStage(ChallengeStageView):
            raise Http404
        return RedirectChallenge(
            instance={
+                "type": ChallengeTypes.REDIRECT.value,
                "to": launch,
            }
        )
--- a/authentik/core/views/interface.py
+++ b/authentik/core/views/interface.py
@ -3,6 +3,7 @@
 from json import dumps
 from typing import Any

+from django.shortcuts import get_object_or_404
 from django.views.generic.base import TemplateView
 from rest_framework.request import Request

@ -10,6 +11,7 @@ from authentik import get_build_hash
 from authentik.admin.tasks import LOCAL_VERSION
 from authentik.api.v3.config import ConfigView
 from authentik.brands.api import CurrentBrandSerializer
+from authentik.flows.models import Flow


 class InterfaceView(TemplateView):
@ -23,3 +25,14 @@ class InterfaceView(TemplateView):
        kwargs["build"] = get_build_hash()
        kwargs["url_kwargs"] = self.kwargs
        return super().get_context_data(**kwargs)
+
+
+class FlowInterfaceView(InterfaceView):
+    """Flow interface"""
+
+    template_name = "if/flow.html"
+
+    def get_context_data(self, **kwargs: Any) -> dict[str, Any]:
+        kwargs["flow"] = get_object_or_404(Flow, slug=self.kwargs.get("flow_slug"))
+        kwargs["inspector"] = "inspector" in self.request.GET
+        return super().get_context_data(**kwargs)
--- a/authentik/crypto/api.py
+++ b/authentik/crypto/api.py
@ -24,12 +24,13 @@ from rest_framework.fields import (
 from rest_framework.filters import OrderingFilter, SearchFilter
 from rest_framework.request import Request
 from rest_framework.response import Response
+from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import ModelViewSet
 from structlog.stdlib import get_logger

 from authentik.api.authorization import SecretKeyFilter
 from authentik.core.api.used_by import UsedByMixin
-from authentik.core.api.utils import ModelSerializer, PassiveSerializer
+from authentik.core.api.utils import PassiveSerializer
 from authentik.crypto.apps import MANAGED_KEY
 from authentik.crypto.builder import CertificateBuilder, PrivateKeyAlg
 from authentik.crypto.models import CertificateKeyPair
--- a/authentik/crypto/models.py
+++ b/authentik/crypto/models.py
@ -92,11 +92,7 @@ class CertificateKeyPair(SerializerModel, ManagedModel, CreatedUpdatedModel):
    @property
    def kid(self):
        """Get Key ID used for JWKS"""
-        return (
-            md5(self.key_data.encode("utf-8"), usedforsecurity=False).hexdigest()
-            if self.key_data
-            else ""
-        )  # nosec
+        return md5(self.key_data.encode("utf-8")).hexdigest() if self.key_data else ""  # nosec

    def __str__(self) -> str:
        return f"Certificate-Key Pair {self.name}"
--- a/authentik/crypto/tests.py
+++ b/authentik/crypto/tests.py
@ -241,7 +241,7 @@ class TestCrypto(APITestCase):
                    "model_name": "oauth2provider",
                    "pk": str(provider.pk),
                    "name": str(provider),
-                    "action": DeleteAction.SET_NULL.value,
+                    "action": DeleteAction.SET_NULL.name,
                }
            ],
        )
--- a/authentik/enterprise/api.py
+++ b/authentik/enterprise/api.py
@ -13,10 +13,11 @@ from rest_framework.fields import CharField, IntegerField
 from rest_framework.permissions import IsAuthenticated
 from rest_framework.request import Request
 from rest_framework.response import Response
+from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import ModelViewSet

 from authentik.core.api.used_by import UsedByMixin
-from authentik.core.api.utils import ModelSerializer, PassiveSerializer
+from authentik.core.api.utils import PassiveSerializer
 from authentik.core.models import User, UserTypes
 from authentik.enterprise.license import LicenseKey, LicenseSummarySerializer
 from authentik.enterprise.models import License
--- a/authentik/enterprise/providers/google_workspace/api/groups.py
+++ b/authentik/enterprise/providers/google_workspace/api/groups.py
@ -1,47 +0,0 @@
-"""GoogleWorkspaceProviderGroup API Views"""
-
-from rest_framework import mixins
-from rest_framework.viewsets import GenericViewSet
-
-from authentik.core.api.used_by import UsedByMixin
-from authentik.core.api.users import UserGroupSerializer
-from authentik.core.api.utils import ModelSerializer
-from authentik.enterprise.providers.google_workspace.models import GoogleWorkspaceProviderGroup
-from authentik.lib.sync.outgoing.api import OutgoingSyncConnectionCreateMixin
-
-
-class GoogleWorkspaceProviderGroupSerializer(ModelSerializer):
-    """GoogleWorkspaceProviderGroup Serializer"""
-
-    group_obj = UserGroupSerializer(source="group", read_only=True)
-
-    class Meta:
-
-        model = GoogleWorkspaceProviderGroup
-        fields = [
-            "id",
-            "google_id",
-            "group",
-            "group_obj",
-            "provider",
-            "attributes",
-        ]
-        extra_kwargs = {"attributes": {"read_only": True}}
-
-
-class GoogleWorkspaceProviderGroupViewSet(
-    mixins.CreateModelMixin,
-    OutgoingSyncConnectionCreateMixin,
-    mixins.RetrieveModelMixin,
-    mixins.DestroyModelMixin,
-    UsedByMixin,
-    mixins.ListModelMixin,
-    GenericViewSet,
-):
-    """GoogleWorkspaceProviderGroup Viewset"""
-
-    queryset = GoogleWorkspaceProviderGroup.objects.all().select_related("group")
-    serializer_class = GoogleWorkspaceProviderGroupSerializer
-    filterset_fields = ["provider__id", "group__name", "group__group_uuid"]
-    search_fields = ["provider__name", "group__name"]
-    ordering = ["group__name"]
--- a/authentik/enterprise/providers/google_workspace/api/property_mappings.py
+++ b/authentik/enterprise/providers/google_workspace/api/property_mappings.py
@ -6,21 +6,21 @@ from drf_spectacular.types import OpenApiTypes
 from drf_spectacular.utils import extend_schema_field
 from rest_framework.viewsets import ModelViewSet

-from authentik.core.api.property_mappings import PropertyMappingSerializer
+from authentik.core.api.propertymappings import PropertyMappingSerializer
 from authentik.core.api.used_by import UsedByMixin
 from authentik.enterprise.providers.google_workspace.models import GoogleWorkspaceProviderMapping


-class GoogleWorkspaceProviderMappingSerializer(PropertyMappingSerializer):
-    """GoogleWorkspaceProviderMapping Serializer"""
+class GoogleProviderMappingSerializer(PropertyMappingSerializer):
+    """GoogleProviderMapping Serializer"""

    class Meta:
        model = GoogleWorkspaceProviderMapping
        fields = PropertyMappingSerializer.Meta.fields


-class GoogleWorkspaceProviderMappingFilter(FilterSet):
-    """Filter for GoogleWorkspaceProviderMapping"""
+class GoogleProviderMappingFilter(FilterSet):
+    """Filter for GoogleProviderMapping"""

    managed = extend_schema_field(OpenApiTypes.STR)(AllValuesMultipleFilter(field_name="managed"))

@ -29,11 +29,11 @@ class GoogleWorkspaceProviderMappingFilter(FilterSet):
        fields = "__all__"


-class GoogleWorkspaceProviderMappingViewSet(UsedByMixin, ModelViewSet):
-    """GoogleWorkspaceProviderMapping Viewset"""
+class GoogleProviderMappingViewSet(UsedByMixin, ModelViewSet):
+    """GoogleProviderMapping Viewset"""

    queryset = GoogleWorkspaceProviderMapping.objects.all()
-    serializer_class = GoogleWorkspaceProviderMappingSerializer
-    filterset_class = GoogleWorkspaceProviderMappingFilter
+    serializer_class = GoogleProviderMappingSerializer
+    filterset_class = GoogleProviderMappingFilter
    search_fields = ["name"]
    ordering = ["name"]
--- a/authentik/enterprise/providers/google_workspace/api/providers.py
+++ b/authentik/enterprise/providers/google_workspace/api/providers.py
@ -10,8 +10,8 @@ from authentik.enterprise.providers.google_workspace.tasks import google_workspa
 from authentik.lib.sync.outgoing.api import OutgoingSyncProviderStatusMixin


-class GoogleWorkspaceProviderSerializer(EnterpriseRequiredMixin, ProviderSerializer):
-    """GoogleWorkspaceProvider Serializer"""
+class GoogleProviderSerializer(EnterpriseRequiredMixin, ProviderSerializer):
+    """GoogleProvider Serializer"""

    class Meta:
        model = GoogleWorkspaceProvider
@ -38,11 +38,11 @@ class GoogleWorkspaceProviderSerializer(EnterpriseRequiredMixin, ProviderSeriali
        extra_kwargs = {}


-class GoogleWorkspaceProviderViewSet(OutgoingSyncProviderStatusMixin, UsedByMixin, ModelViewSet):
-    """GoogleWorkspaceProvider Viewset"""
+class GoogleProviderViewSet(OutgoingSyncProviderStatusMixin, UsedByMixin, ModelViewSet):
+    """GoogleProvider Viewset"""

    queryset = GoogleWorkspaceProvider.objects.all()
-    serializer_class = GoogleWorkspaceProviderSerializer
+    serializer_class = GoogleProviderSerializer
    filterset_fields = [
        "name",
        "exclude_users_service_account",
--- a/authentik/enterprise/providers/google_workspace/api/users.py
+++ b/authentik/enterprise/providers/google_workspace/api/users.py
@ -1,47 +0,0 @@
-"""GoogleWorkspaceProviderUser API Views"""
-
-from rest_framework import mixins
-from rest_framework.viewsets import GenericViewSet
-
-from authentik.core.api.groups import GroupMemberSerializer
-from authentik.core.api.used_by import UsedByMixin
-from authentik.core.api.utils import ModelSerializer
-from authentik.enterprise.providers.google_workspace.models import GoogleWorkspaceProviderUser
-from authentik.lib.sync.outgoing.api import OutgoingSyncConnectionCreateMixin
-
-
-class GoogleWorkspaceProviderUserSerializer(ModelSerializer):
-    """GoogleWorkspaceProviderUser Serializer"""
-
-    user_obj = GroupMemberSerializer(source="user", read_only=True)
-
-    class Meta:
-
-        model = GoogleWorkspaceProviderUser
-        fields = [
-            "id",
-            "google_id",
-            "user",
-            "user_obj",
-            "provider",
-            "attributes",
-        ]
-        extra_kwargs = {"attributes": {"read_only": True}}
-
-
-class GoogleWorkspaceProviderUserViewSet(
-    mixins.CreateModelMixin,
-    OutgoingSyncConnectionCreateMixin,
-    mixins.RetrieveModelMixin,
-    mixins.DestroyModelMixin,
-    UsedByMixin,
-    mixins.ListModelMixin,
-    GenericViewSet,
-):
-    """GoogleWorkspaceProviderUser Viewset"""
-
-    queryset = GoogleWorkspaceProviderUser.objects.all().select_related("user")
-    serializer_class = GoogleWorkspaceProviderUserSerializer
-    filterset_fields = ["provider__id", "user__username", "user__id"]
-    search_fields = ["provider__name", "user__username"]
-    ordering = ["user__username"]
--- a/authentik/enterprise/providers/google_workspace/clients/base.py
+++ b/authentik/enterprise/providers/google_workspace/clients/base.py
@ -1,5 +1,5 @@
 from django.db.models import Model
-from django.http import HttpResponseBadRequest, HttpResponseNotFound
+from django.http import HttpResponseNotFound
 from google.auth.exceptions import GoogleAuthError, TransportError
 from googleapiclient.discovery import build
 from googleapiclient.errors import Error, HttpError
@ -10,7 +10,6 @@ from authentik.enterprise.providers.google_workspace.models import GoogleWorkspa
 from authentik.lib.sync.outgoing import HTTP_CONFLICT
 from authentik.lib.sync.outgoing.base import BaseOutgoingSyncClient
 from authentik.lib.sync.outgoing.exceptions import (
-    BadRequestSyncException,
    NotFoundSyncException,
    ObjectExistsSyncException,
    StopSync,
@ -51,24 +50,22 @@ class GoogleWorkspaceSyncClient[TModel: Model, TConnection: Model, TSchema: dict
            raise StopSync(exc) from exc
        except HttpLib2Error as exc:
            if isinstance(exc, HttpLib2ErrorWithResponse):
-                self._response_handle_status_code(request.body, exc.response.status, exc)
+                self._response_handle_status_code(exc.response.status, exc)
            raise TransientSyncException(f"Failed to send request: {str(exc)}") from exc
        except HttpError as exc:
-            self._response_handle_status_code(request.body, exc.status_code, exc)
+            self._response_handle_status_code(exc.status_code, exc)
            raise TransientSyncException(f"Failed to send request: {str(exc)}") from exc
        except Error as exc:
            raise TransientSyncException(f"Failed to send request: {str(exc)}") from exc
        return response

-    def _response_handle_status_code(self, request: dict, status_code: int, root_exc: Exception):
+    def _response_handle_status_code(self, status_code: int, root_exc: Exception):
        if status_code == HttpResponseNotFound.status_code:
            raise NotFoundSyncException("Object not found") from root_exc
        if status_code == HTTP_CONFLICT:
            raise ObjectExistsSyncException("Object exists") from root_exc
-        if status_code == HttpResponseBadRequest.status_code:
-            raise BadRequestSyncException("Bad request", request) from root_exc

    def check_email_valid(self, *emails: str):
        for email in emails:
            if not any(email.endswith(f"@{domain_name}") for domain_name in self.domains):
-                raise BadRequestSyncException(f"Invalid email domain: {email}")
+                raise TransientSyncException(f"Invalid email domain: {email}")
--- a/authentik/enterprise/providers/google_workspace/clients/groups.py
+++ b/authentik/enterprise/providers/google_workspace/clients/groups.py
@ -1,22 +1,28 @@
+from deepmerge import always_merger
 from django.db import transaction
 from django.utils.text import slugify

+from authentik.core.expression.exceptions import (
+    PropertyMappingExpressionException,
+    SkipObjectException,
+)
 from authentik.core.models import Group
 from authentik.enterprise.providers.google_workspace.clients.base import GoogleWorkspaceSyncClient
 from authentik.enterprise.providers.google_workspace.models import (
-    GoogleWorkspaceProvider,
+    GoogleWorkspaceDeleteAction,
    GoogleWorkspaceProviderGroup,
    GoogleWorkspaceProviderMapping,
    GoogleWorkspaceProviderUser,
 )
-from authentik.lib.sync.mapper import PropertyMappingManager
+from authentik.events.models import Event, EventAction
 from authentik.lib.sync.outgoing.base import Direction
 from authentik.lib.sync.outgoing.exceptions import (
    NotFoundSyncException,
    ObjectExistsSyncException,
+    StopSync,
    TransientSyncException,
 )
-from authentik.lib.sync.outgoing.models import OutgoingSyncDeleteAction
+from authentik.lib.utils.errors import exception_to_string


 class GoogleWorkspaceGroupClient(
@ -28,21 +34,41 @@ class GoogleWorkspaceGroupClient(
    connection_type_query = "group"
    can_discover = True

-    def __init__(self, provider: GoogleWorkspaceProvider) -> None:
-        super().__init__(provider)
-        self.mapper = PropertyMappingManager(
-            self.provider.property_mappings_group.all().order_by("name").select_subclasses(),
-            GoogleWorkspaceProviderMapping,
-            ["group", "provider", "connection"],
-        )
-
-    def to_schema(self, obj: Group, connection: GoogleWorkspaceProviderGroup) -> dict:
+    def to_schema(self, obj: Group) -> dict:
        """Convert authentik group"""
-        return super().to_schema(
-            obj,
-            connection=connection,
-            email=f"{slugify(obj.name)}@{self.provider.default_group_email_domain}",
-        )
+        raw_google_group = {
+            "email": f"{slugify(obj.name)}@{self.provider.default_group_email_domain}"
+        }
+        for mapping in (
+            self.provider.property_mappings_group.all().order_by("name").select_subclasses()
+        ):
+            if not isinstance(mapping, GoogleWorkspaceProviderMapping):
+                continue
+            try:
+                mapping: GoogleWorkspaceProviderMapping
+                value = mapping.evaluate(
+                    user=None,
+                    request=None,
+                    group=obj,
+                    provider=self.provider,
+                )
+                if value is None:
+                    continue
+                always_merger.merge(raw_google_group, value)
+            except SkipObjectException as exc:
+                raise exc from exc
+            except (PropertyMappingExpressionException, ValueError) as exc:
+                # Value error can be raised when assigning invalid data to an attribute
+                Event.new(
+                    EventAction.CONFIGURATION_ERROR,
+                    message=f"Failed to evaluate property-mapping {exception_to_string(exc)}",
+                    mapping=mapping,
+                ).save()
+                raise StopSync(exc, obj, mapping) from exc
+        if not raw_google_group:
+            raise StopSync(ValueError("No group mappings configured"), obj)
+
+        return raw_google_group

    def delete(self, obj: Group):
        """Delete group"""
@ -53,7 +79,7 @@ class GoogleWorkspaceGroupClient(
            self.logger.debug("Group does not exist in Google, skipping")
            return None
        with transaction.atomic():
-            if self.provider.group_delete_action == OutgoingSyncDeleteAction.DELETE:
+            if self.provider.group_delete_action == GoogleWorkspaceDeleteAction.DELETE:
                self._request(
                    self.directory_service.groups().delete(groupKey=google_group.google_id)
                )
@ -61,7 +87,7 @@ class GoogleWorkspaceGroupClient(

    def create(self, group: Group):
        """Create group from scratch and create a connection object"""
-        google_group = self.to_schema(group, None)
+        google_group = self.to_schema(group)
        self.check_email_valid(google_group["email"])
        with transaction.atomic():
            try:
@ -73,49 +99,53 @@ class GoogleWorkspaceGroupClient(
                group_data = self._request(
                    self.directory_service.groups().get(groupKey=google_group["email"])
                )
-                return GoogleWorkspaceProviderGroup.objects.create(
-                    provider=self.provider,
-                    group=group,
-                    google_id=group_data["id"],
-                    attributes=group_data,
+                GoogleWorkspaceProviderGroup.objects.create(
+                    provider=self.provider, group=group, google_id=group_data["id"]
                )
            else:
-                return GoogleWorkspaceProviderGroup.objects.create(
-                    provider=self.provider,
-                    group=group,
-                    google_id=response["id"],
-                    attributes=response,
+                GoogleWorkspaceProviderGroup.objects.create(
+                    provider=self.provider, group=group, google_id=response["id"]
                )

    def update(self, group: Group, connection: GoogleWorkspaceProviderGroup):
        """Update existing group"""
-        google_group = self.to_schema(group, connection)
+        google_group = self.to_schema(group)
        self.check_email_valid(google_group["email"])
        try:
-            response = self._request(
+            return self._request(
                self.directory_service.groups().update(
                    groupKey=connection.google_id,
                    body=google_group,
                )
            )
-            connection.attributes = response
-            connection.save()
        except NotFoundSyncException:
            # Resource missing is handled by self.write, which will re-create the group
            raise

    def write(self, obj: Group):
        google_group, created = super().write(obj)
-        self.create_sync_members(obj, google_group)
-        return google_group, created
+        if created:
+            self.create_sync_members(obj, google_group)
+        return google_group

-    def create_sync_members(self, obj: Group, google_group: GoogleWorkspaceProviderGroup):
+    def create_sync_members(self, obj: Group, google_group: dict):
        """Sync all members after a group was created"""
        users = list(obj.users.order_by("id").values_list("id", flat=True))
        connections = GoogleWorkspaceProviderUser.objects.filter(
            provider=self.provider, user__pk__in=users
-        ).values_list("google_id", flat=True)
-        self._patch(google_group.google_id, Direction.add, connections)
+        )
+        for user in connections:
+            try:
+                self._request(
+                    self.directory_service.members().insert(
+                        groupKey=google_group["id"],
+                        body={
+                            "email": user.google_id,
+                        },
+                    )
+                )
+            except TransientSyncException:
+                continue

    def update_group(self, group: Group, action: Direction, users_set: set[int]):
        """Update a groups members"""
@ -212,9 +242,4 @@ class GoogleWorkspaceGroupClient(
            provider=self.provider,
            group=matching_authentik_group,
            google_id=google_id,
-            attributes=group,
        )
-
-    def update_single_attribute(self, connection: GoogleWorkspaceProviderUser):
-        group = self.directory_service.groups().get(connection.google_id)
-        connection.attributes = group
--- a/authentik/enterprise/providers/google_workspace/clients/users.py
+++ b/authentik/enterprise/providers/google_workspace/clients/users.py
@ -1,18 +1,24 @@
+from deepmerge import always_merger
 from django.db import transaction

+from authentik.core.expression.exceptions import (
+    PropertyMappingExpressionException,
+    SkipObjectException,
+)
 from authentik.core.models import User
 from authentik.enterprise.providers.google_workspace.clients.base import GoogleWorkspaceSyncClient
 from authentik.enterprise.providers.google_workspace.models import (
-    GoogleWorkspaceProvider,
+    GoogleWorkspaceDeleteAction,
    GoogleWorkspaceProviderMapping,
    GoogleWorkspaceProviderUser,
 )
-from authentik.lib.sync.mapper import PropertyMappingManager
+from authentik.events.models import Event, EventAction
 from authentik.lib.sync.outgoing.exceptions import (
    ObjectExistsSyncException,
+    StopSync,
    TransientSyncException,
 )
-from authentik.lib.sync.outgoing.models import OutgoingSyncDeleteAction
+from authentik.lib.utils.errors import exception_to_string
 from authentik.policies.utils import delete_none_values


@ -23,17 +29,37 @@ class GoogleWorkspaceUserClient(GoogleWorkspaceSyncClient[User, GoogleWorkspaceP
    connection_type_query = "user"
    can_discover = True

-    def __init__(self, provider: GoogleWorkspaceProvider) -> None:
-        super().__init__(provider)
-        self.mapper = PropertyMappingManager(
-            self.provider.property_mappings.all().order_by("name").select_subclasses(),
-            GoogleWorkspaceProviderMapping,
-            ["provider", "connection"],
-        )
-
-    def to_schema(self, obj: User, connection: GoogleWorkspaceProviderUser) -> dict:
+    def to_schema(self, obj: User) -> dict:
        """Convert authentik user"""
-        return delete_none_values(super().to_schema(obj, connection, primaryEmail=obj.email))
+        raw_google_user = {}
+        for mapping in self.provider.property_mappings.all().order_by("name").select_subclasses():
+            if not isinstance(mapping, GoogleWorkspaceProviderMapping):
+                continue
+            try:
+                mapping: GoogleWorkspaceProviderMapping
+                value = mapping.evaluate(
+                    user=obj,
+                    request=None,
+                    provider=self.provider,
+                )
+                if value is None:
+                    continue
+                always_merger.merge(raw_google_user, value)
+            except SkipObjectException as exc:
+                raise exc from exc
+            except (PropertyMappingExpressionException, ValueError) as exc:
+                # Value error can be raised when assigning invalid data to an attribute
+                Event.new(
+                    EventAction.CONFIGURATION_ERROR,
+                    message=f"Failed to evaluate property-mapping {exception_to_string(exc)}",
+                    mapping=mapping,
+                ).save()
+                raise StopSync(exc, obj, mapping) from exc
+        if not raw_google_user:
+            raise StopSync(ValueError("No user mappings configured"), obj)
+        if "primaryEmail" not in raw_google_user:
+            raw_google_user["primaryEmail"] = str(obj.email)
+        return delete_none_values(raw_google_user)

    def delete(self, obj: User):
        """Delete user"""
@ -45,11 +71,11 @@ class GoogleWorkspaceUserClient(GoogleWorkspaceSyncClient[User, GoogleWorkspaceP
            return None
        with transaction.atomic():
            response = None
-            if self.provider.user_delete_action == OutgoingSyncDeleteAction.DELETE:
+            if self.provider.user_delete_action == GoogleWorkspaceDeleteAction.DELETE:
                response = self._request(
                    self.directory_service.users().delete(userKey=google_user.google_id)
                )
-            elif self.provider.user_delete_action == OutgoingSyncDeleteAction.SUSPEND:
+            elif self.provider.user_delete_action == GoogleWorkspaceDeleteAction.SUSPEND:
                response = self._request(
                    self.directory_service.users().update(
                        userKey=google_user.google_id, body={"suspended": True}
@ -60,7 +86,7 @@ class GoogleWorkspaceUserClient(GoogleWorkspaceSyncClient[User, GoogleWorkspaceP

    def create(self, user: User):
        """Create user from scratch and create a connection object"""
-        google_user = self.to_schema(user, None)
+        google_user = self.to_schema(user)
        self.check_email_valid(
            google_user["primaryEmail"], *[x["address"] for x in google_user.get("emails", [])]
        )
@ -69,30 +95,25 @@ class GoogleWorkspaceUserClient(GoogleWorkspaceSyncClient[User, GoogleWorkspaceP
                response = self._request(self.directory_service.users().insert(body=google_user))
            except ObjectExistsSyncException:
                # user already exists in google workspace, so we can connect them manually
-                return GoogleWorkspaceProviderUser.objects.create(
-                    provider=self.provider, user=user, google_id=user.email, attributes={}
+                GoogleWorkspaceProviderUser.objects.create(
+                    provider=self.provider, user=user, google_id=user.email
                )
            except TransientSyncException as exc:
                raise exc
            else:
-                return GoogleWorkspaceProviderUser.objects.create(
-                    provider=self.provider,
-                    user=user,
-                    google_id=response["primaryEmail"],
-                    attributes=response,
+                GoogleWorkspaceProviderUser.objects.create(
+                    provider=self.provider, user=user, google_id=response["primaryEmail"]
                )

    def update(self, user: User, connection: GoogleWorkspaceProviderUser):
        """Update existing user"""
-        google_user = self.to_schema(user, connection)
+        google_user = self.to_schema(user)
        self.check_email_valid(
            google_user["primaryEmail"], *[x["address"] for x in google_user.get("emails", [])]
        )
-        response = self._request(
+        self._request(
            self.directory_service.users().update(userKey=connection.google_id, body=google_user)
        )
-        connection.attributes = response
-        connection.save()

    def discover(self):
        """Iterate through all users and connect them with authentik users if possible"""
@ -117,9 +138,4 @@ class GoogleWorkspaceUserClient(GoogleWorkspaceSyncClient[User, GoogleWorkspaceP
            provider=self.provider,
            user=matching_authentik_user,
            google_id=email,
-            attributes=user,
        )
-
-    def update_single_attribute(self, connection: GoogleWorkspaceProviderUser):
-        user = self.directory_service.users().get(connection.google_id)
-        connection.attributes = user
--- a/authentik/enterprise/providers/google_workspace/migrations/0001_squashed_0002_alter_googleworkspaceprovidergroup_options_and_more.py
+++ b/authentik/enterprise/providers/google_workspace/migrations/0001_squashed_0002_alter_googleworkspaceprovidergroup_options_and_more.py
@ -1,179 +0,0 @@
-# Generated by Django 5.0.6 on 2024-05-09 12:57
-
-import django.db.models.deletion
-import uuid
-from django.conf import settings
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-
-    replaces = [
-        ("authentik_providers_google_workspace", "0001_initial"),
-        (
-            "authentik_providers_google_workspace",
-            "0002_alter_googleworkspaceprovidergroup_options_and_more",
-        ),
-    ]
-
-    initial = True
-
-    dependencies = [
-        ("authentik_core", "0035_alter_group_options_and_more"),
-        migrations.swappable_dependency(settings.AUTH_USER_MODEL),
-    ]
-
-    operations = [
-        migrations.CreateModel(
-            name="GoogleWorkspaceProviderMapping",
-            fields=[
-                (
-                    "propertymapping_ptr",
-                    models.OneToOneField(
-                        auto_created=True,
-                        on_delete=django.db.models.deletion.CASCADE,
-                        parent_link=True,
-                        primary_key=True,
-                        serialize=False,
-                        to="authentik_core.propertymapping",
-                    ),
-                ),
-            ],
-            options={
-                "verbose_name": "Google Workspace Provider Mapping",
-                "verbose_name_plural": "Google Workspace Provider Mappings",
-            },
-            bases=("authentik_core.propertymapping",),
-        ),
-        migrations.CreateModel(
-            name="GoogleWorkspaceProvider",
-            fields=[
-                (
-                    "provider_ptr",
-                    models.OneToOneField(
-                        auto_created=True,
-                        on_delete=django.db.models.deletion.CASCADE,
-                        parent_link=True,
-                        primary_key=True,
-                        serialize=False,
-                        to="authentik_core.provider",
-                    ),
-                ),
-                ("delegated_subject", models.EmailField(max_length=254)),
-                ("credentials", models.JSONField()),
-                (
-                    "scopes",
-                    models.TextField(
-                        default="https://www.googleapis.com/auth/admin.directory.user,https://www.googleapis.com/auth/admin.directory.group,https://www.googleapis.com/auth/admin.directory.group.member,https://www.googleapis.com/auth/admin.directory.domain.readonly"
-                    ),
-                ),
-                ("default_group_email_domain", models.TextField()),
-                ("exclude_users_service_account", models.BooleanField(default=False)),
-                (
-                    "user_delete_action",
-                    models.TextField(
-                        choices=[
-                            ("do_nothing", "Do Nothing"),
-                            ("delete", "Delete"),
-                            ("suspend", "Suspend"),
-                        ],
-                        default="delete",
-                    ),
-                ),
-                (
-                    "group_delete_action",
-                    models.TextField(
-                        choices=[
-                            ("do_nothing", "Do Nothing"),
-                            ("delete", "Delete"),
-                            ("suspend", "Suspend"),
-                        ],
-                        default="delete",
-                    ),
-                ),
-                (
-                    "filter_group",
-                    models.ForeignKey(
-                        default=None,
-                        null=True,
-                        on_delete=django.db.models.deletion.SET_DEFAULT,
-                        to="authentik_core.group",
-                    ),
-                ),
-                (
-                    "property_mappings_group",
-                    models.ManyToManyField(
-                        blank=True,
-                        default=None,
-                        help_text="Property mappings used for group creation/updating.",
-                        to="authentik_core.propertymapping",
-                    ),
-                ),
-            ],
-            options={
-                "verbose_name": "Google Workspace Provider",
-                "verbose_name_plural": "Google Workspace Providers",
-            },
-            bases=("authentik_core.provider", models.Model),
-        ),
-        migrations.CreateModel(
-            name="GoogleWorkspaceProviderGroup",
-            fields=[
-                (
-                    "id",
-                    models.UUIDField(
-                        default=uuid.uuid4, editable=False, primary_key=True, serialize=False
-                    ),
-                ),
-                ("google_id", models.TextField()),
-                (
-                    "group",
-                    models.ForeignKey(
-                        on_delete=django.db.models.deletion.CASCADE, to="authentik_core.group"
-                    ),
-                ),
-                (
-                    "provider",
-                    models.ForeignKey(
-                        on_delete=django.db.models.deletion.CASCADE,
-                        to="authentik_providers_google_workspace.googleworkspaceprovider",
-                    ),
-                ),
-            ],
-            options={
-                "unique_together": {("google_id", "group", "provider")},
-                "verbose_name": "Google Workspace Provider Group",
-                "verbose_name_plural": "Google Workspace Provider Groups",
-            },
-        ),
-        migrations.CreateModel(
-            name="GoogleWorkspaceProviderUser",
-            fields=[
-                (
-                    "id",
-                    models.UUIDField(
-                        default=uuid.uuid4, editable=False, primary_key=True, serialize=False
-                    ),
-                ),
-                ("google_id", models.TextField()),
-                (
-                    "provider",
-                    models.ForeignKey(
-                        on_delete=django.db.models.deletion.CASCADE,
-                        to="authentik_providers_google_workspace.googleworkspaceprovider",
-                    ),
-                ),
-                (
-                    "user",
-                    models.ForeignKey(
-                        on_delete=django.db.models.deletion.CASCADE, to=settings.AUTH_USER_MODEL
-                    ),
-                ),
-            ],
-            options={
-                "unique_together": {("google_id", "user", "provider")},
-                "verbose_name": "Google Workspace Provider User",
-                "verbose_name_plural": "Google Workspace Provider Users",
-            },
-        ),
-    ]
--- a/authentik/enterprise/providers/google_workspace/migrations/0002_alter_googleworkspaceprovidergroup_options_and_more.py
+++ b/authentik/enterprise/providers/google_workspace/migrations/0002_alter_googleworkspaceprovidergroup_options_and_more.py
@ -1,27 +0,0 @@
-# Generated by Django 5.0.6 on 2024-05-08 14:35
-
-from django.db import migrations
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ("authentik_providers_google_workspace", "0001_initial"),
-    ]
-
-    operations = [
-        migrations.AlterModelOptions(
-            name="googleworkspaceprovidergroup",
-            options={
-                "verbose_name": "Google Workspace Provider Group",
-                "verbose_name_plural": "Google Workspace Provider Groups",
-            },
-        ),
-        migrations.AlterModelOptions(
-            name="googleworkspaceprovideruser",
-            options={
-                "verbose_name": "Google Workspace Provider User",
-                "verbose_name_plural": "Google Workspace Provider Users",
-            },
-        ),
-    ]
--- a/authentik/enterprise/providers/google_workspace/migrations/0003_googleworkspaceprovidergroup_attributes_and_more.py
+++ b/authentik/enterprise/providers/google_workspace/migrations/0003_googleworkspaceprovidergroup_attributes_and_more.py
@ -1,26 +0,0 @@
-# Generated by Django 5.0.6 on 2024-05-23 20:48
-
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        (
-            "authentik_providers_google_workspace",
-            "0001_squashed_0002_alter_googleworkspaceprovidergroup_options_and_more",
-        ),
-    ]
-
-    operations = [
-        migrations.AddField(
-            model_name="googleworkspaceprovidergroup",
-            name="attributes",
-            field=models.JSONField(default=dict),
-        ),
-        migrations.AddField(
-            model_name="googleworkspaceprovideruser",
-            name="attributes",
-            field=models.JSONField(default=dict),
-        ),
-    ]
--- a/authentik/enterprise/providers/google_workspace/models.py
+++ b/authentik/enterprise/providers/google_workspace/models.py
@ -5,7 +5,6 @@ from uuid import uuid4

 from django.db import models
 from django.db.models import QuerySet
-from django.templatetags.static import static
 from django.utils.translation import gettext_lazy as _
 from google.oauth2.service_account import Credentials
 from rest_framework.serializers import Serializer
@ -17,9 +16,8 @@ from authentik.core.models import (
    User,
    UserTypes,
 )
-from authentik.lib.models import SerializerModel
 from authentik.lib.sync.outgoing.base import BaseOutgoingSyncClient
-from authentik.lib.sync.outgoing.models import OutgoingSyncDeleteAction, OutgoingSyncProvider
+from authentik.lib.sync.outgoing.models import OutgoingSyncProvider


 def default_scopes() -> list[str]:
@ -31,56 +29,13 @@ def default_scopes() -> list[str]:
    ]


-class GoogleWorkspaceProviderUser(SerializerModel):
-    """Mapping of a user and provider to a Google user ID"""
+class GoogleWorkspaceDeleteAction(models.TextChoices):
+    """Action taken when a user/group is deleted in authentik. Suspend is not available for groups,
+    and will be treated as `do_nothing`"""

-    id = models.UUIDField(primary_key=True, editable=False, default=uuid4)
-    google_id = models.TextField()
-    user = models.ForeignKey(User, on_delete=models.CASCADE)
-    provider = models.ForeignKey("GoogleWorkspaceProvider", on_delete=models.CASCADE)
-    attributes = models.JSONField(default=dict)
-
-    @property
-    def serializer(self) -> type[Serializer]:
-        from authentik.enterprise.providers.google_workspace.api.users import (
-            GoogleWorkspaceProviderUserSerializer,
-        )
-
-        return GoogleWorkspaceProviderUserSerializer
-
-    class Meta:
-        verbose_name = _("Google Workspace Provider User")
-        verbose_name_plural = _("Google Workspace Provider Users")
-        unique_together = (("google_id", "user", "provider"),)
-
-    def __str__(self) -> str:
-        return f"Google Workspace Provider User {self.user_id} to {self.provider_id}"
-
-
-class GoogleWorkspaceProviderGroup(SerializerModel):
-    """Mapping of a group and provider to a Google group ID"""
-
-    id = models.UUIDField(primary_key=True, editable=False, default=uuid4)
-    google_id = models.TextField()
-    group = models.ForeignKey(Group, on_delete=models.CASCADE)
-    provider = models.ForeignKey("GoogleWorkspaceProvider", on_delete=models.CASCADE)
-    attributes = models.JSONField(default=dict)
-
-    @property
-    def serializer(self) -> type[Serializer]:
-        from authentik.enterprise.providers.google_workspace.api.groups import (
-            GoogleWorkspaceProviderGroupSerializer,
-        )
-
-        return GoogleWorkspaceProviderGroupSerializer
-
-    class Meta:
-        verbose_name = _("Google Workspace Provider Group")
-        verbose_name_plural = _("Google Workspace Provider Groups")
-        unique_together = (("google_id", "group", "provider"),)
-
-    def __str__(self) -> str:
-        return f"Google Workspace Provider Group {self.group_id} to {self.provider_id}"
+    DO_NOTHING = "do_nothing"
+    DELETE = "delete"
+    SUSPEND = "suspend"


 class GoogleWorkspaceProvider(OutgoingSyncProvider, BackchannelProvider):
@ -93,10 +48,10 @@ class GoogleWorkspaceProvider(OutgoingSyncProvider, BackchannelProvider):
    default_group_email_domain = models.TextField()
    exclude_users_service_account = models.BooleanField(default=False)
    user_delete_action = models.TextField(
-        choices=OutgoingSyncDeleteAction.choices, default=OutgoingSyncDeleteAction.DELETE
+        choices=GoogleWorkspaceDeleteAction.choices, default=GoogleWorkspaceDeleteAction.DELETE
    )
    group_delete_action = models.TextField(
-        choices=OutgoingSyncDeleteAction.choices, default=OutgoingSyncDeleteAction.DELETE
+        choices=GoogleWorkspaceDeleteAction.choices, default=GoogleWorkspaceDeleteAction.DELETE
    )

    filter_group = models.ForeignKey(
@ -111,16 +66,15 @@ class GoogleWorkspaceProvider(OutgoingSyncProvider, BackchannelProvider):
    )

    def client_for_model(
-        self,
-        model: type[User | Group | GoogleWorkspaceProviderUser | GoogleWorkspaceProviderGroup],
+        self, model: type[User | Group]
    ) -> BaseOutgoingSyncClient[User | Group, Any, Any, Self]:
-        if issubclass(model, User | GoogleWorkspaceProviderUser):
+        if issubclass(model, User):
            from authentik.enterprise.providers.google_workspace.clients.users import (
                GoogleWorkspaceUserClient,
            )

            return GoogleWorkspaceUserClient(self)
-        if issubclass(model, Group | GoogleWorkspaceProviderGroup):
+        if issubclass(model, Group):
            from authentik.enterprise.providers.google_workspace.clients.groups import (
                GoogleWorkspaceGroupClient,
            )
@ -152,10 +106,6 @@ class GoogleWorkspaceProvider(OutgoingSyncProvider, BackchannelProvider):
            ).with_subject(self.delegated_subject),
        }

-    @property
-    def icon_url(self) -> str | None:
-        return static("authentik/sources/google.svg")
-
    @property
    def component(self) -> str:
        return "ak-provider-google-workspace-form"
@ -163,10 +113,10 @@ class GoogleWorkspaceProvider(OutgoingSyncProvider, BackchannelProvider):
    @property
    def serializer(self) -> type[Serializer]:
        from authentik.enterprise.providers.google_workspace.api.providers import (
-            GoogleWorkspaceProviderSerializer,
+            GoogleProviderSerializer,
        )

-        return GoogleWorkspaceProviderSerializer
+        return GoogleProviderSerializer

    def __str__(self):
        return f"Google Workspace Provider {self.name}"
@ -186,10 +136,10 @@ class GoogleWorkspaceProviderMapping(PropertyMapping):
    @property
    def serializer(self) -> type[Serializer]:
        from authentik.enterprise.providers.google_workspace.api.property_mappings import (
-            GoogleWorkspaceProviderMappingSerializer,
+            GoogleProviderMappingSerializer,
        )

-        return GoogleWorkspaceProviderMappingSerializer
+        return GoogleProviderMappingSerializer

    def __str__(self):
        return f"Google Workspace Provider Mapping {self.name}"
@ -197,3 +147,33 @@ class GoogleWorkspaceProviderMapping(PropertyMapping):
    class Meta:
        verbose_name = _("Google Workspace Provider Mapping")
        verbose_name_plural = _("Google Workspace Provider Mappings")
+
+
+class GoogleWorkspaceProviderUser(models.Model):
+    """Mapping of a user and provider to a Google user ID"""
+
+    id = models.UUIDField(primary_key=True, editable=False, default=uuid4)
+    google_id = models.TextField()
+    user = models.ForeignKey(User, on_delete=models.CASCADE)
+    provider = models.ForeignKey(GoogleWorkspaceProvider, on_delete=models.CASCADE)
+
+    class Meta:
+        unique_together = (("google_id", "user", "provider"),)
+
+    def __str__(self) -> str:
+        return f"Google Workspace User {self.user_id} to {self.provider_id}"
+
+
+class GoogleWorkspaceProviderGroup(models.Model):
+    """Mapping of a group and provider to a Google group ID"""
+
+    id = models.UUIDField(primary_key=True, editable=False, default=uuid4)
+    google_id = models.TextField()
+    group = models.ForeignKey(Group, on_delete=models.CASCADE)
+    provider = models.ForeignKey(GoogleWorkspaceProvider, on_delete=models.CASCADE)
+
+    class Meta:
+        unique_together = (("google_id", "group", "provider"),)
+
+    def __str__(self) -> str:
+        return f"Google Workspace Group {self.group_id} to {self.provider_id}"
--- a/authentik/enterprise/providers/google_workspace/tasks.py
+++ b/authentik/enterprise/providers/google_workspace/tasks.py
@ -2,21 +2,18 @@

 from authentik.enterprise.providers.google_workspace.models import GoogleWorkspaceProvider
 from authentik.events.system_tasks import SystemTask
-from authentik.lib.sync.outgoing.exceptions import TransientSyncException
 from authentik.lib.sync.outgoing.tasks import SyncTasks
 from authentik.root.celery import CELERY_APP

 sync_tasks = SyncTasks(GoogleWorkspaceProvider)


-@CELERY_APP.task(autoretry_for=(TransientSyncException,), retry_backoff=True)
+@CELERY_APP.task()
 def google_workspace_sync_objects(*args, **kwargs):
    return sync_tasks.sync_objects(*args, **kwargs)


-@CELERY_APP.task(
-    base=SystemTask, bind=True, autoretry_for=(TransientSyncException,), retry_backoff=True
-)
+@CELERY_APP.task(base=SystemTask, bind=True)
 def google_workspace_sync(self, provider_pk: int, *args, **kwargs):
    """Run full sync for Google Workspace provider"""
    return sync_tasks.sync_single(self, provider_pk, google_workspace_sync_objects)
@ -27,11 +24,11 @@ def google_workspace_sync_all():
    return sync_tasks.sync_all(google_workspace_sync)


-@CELERY_APP.task(autoretry_for=(TransientSyncException,), retry_backoff=True)
+@CELERY_APP.task()
 def google_workspace_sync_direct(*args, **kwargs):
    return sync_tasks.sync_signal_direct(*args, **kwargs)


-@CELERY_APP.task(autoretry_for=(TransientSyncException,), retry_backoff=True)
+@CELERY_APP.task()
 def google_workspace_sync_m2m(*args, **kwargs):
    return sync_tasks.sync_signal_m2m(*args, **kwargs)
--- a/authentik/enterprise/providers/google_workspace/tests/test_groups.py
+++ b/authentik/enterprise/providers/google_workspace/tests/test_groups.py
@ -9,6 +9,7 @@ from authentik.core.models import Application, Group, User
 from authentik.core.tests.utils import create_test_user
 from authentik.enterprise.providers.google_workspace.clients.test_http import MockHTTP
 from authentik.enterprise.providers.google_workspace.models import (
+    GoogleWorkspaceDeleteAction,
    GoogleWorkspaceProvider,
    GoogleWorkspaceProviderGroup,
    GoogleWorkspaceProviderMapping,
@ -16,7 +17,6 @@ from authentik.enterprise.providers.google_workspace.models import (
 from authentik.enterprise.providers.google_workspace.tasks import google_workspace_sync
 from authentik.events.models import Event, EventAction
 from authentik.lib.generators import generate_id
-from authentik.lib.sync.outgoing.models import OutgoingSyncDeleteAction
 from authentik.lib.tests.utils import load_fixture
 from authentik.tenants.models import Tenant

@ -82,27 +82,6 @@ class GoogleWorkspaceGroupTests(TestCase):
            self.assertFalse(Event.objects.filter(action=EventAction.SYSTEM_EXCEPTION).exists())
            self.assertEqual(len(http.requests()), 2)

-    def test_group_not_created(self):
-        """Test without group property mappings, no group is created"""
-        self.provider.property_mappings_group.clear()
-        uid = generate_id()
-        http = MockHTTP()
-        http.add_response(
-            f"https://admin.googleapis.com/admin/directory/v1/customer/my_customer/domains?key={self.api_key}&alt=json",
-            domains_list_v1_mock,
-        )
-        with patch(
-            "authentik.enterprise.providers.google_workspace.models.GoogleWorkspaceProvider.google_credentials",
-            MagicMock(return_value={"developerKey": self.api_key, "http": http}),
-        ):
-            group = Group.objects.create(name=uid)
-            google_group = GoogleWorkspaceProviderGroup.objects.filter(
-                provider=self.provider, group=group
-            ).first()
-            self.assertIsNone(google_group)
-            self.assertFalse(Event.objects.filter(action=EventAction.SYSTEM_EXCEPTION).exists())
-            self.assertEqual(len(http.requests()), 1)
-
    def test_group_create_update(self):
        """Test group updating"""
        uid = generate_id()
@ -261,7 +240,7 @@ class GoogleWorkspaceGroupTests(TestCase):

    def test_group_create_delete_do_nothing(self):
        """Test group deletion (delete action = do nothing)"""
-        self.provider.group_delete_action = OutgoingSyncDeleteAction.DO_NOTHING
+        self.provider.group_delete_action = GoogleWorkspaceDeleteAction.DO_NOTHING
        self.provider.save()
        uid = generate_id()
        http = MockHTTP()
--- a/authentik/enterprise/providers/google_workspace/tests/test_users.py
+++ b/authentik/enterprise/providers/google_workspace/tests/test_users.py
@ -9,6 +9,7 @@ from authentik.blueprints.tests import apply_blueprint
 from authentik.core.models import Application, Group, User
 from authentik.enterprise.providers.google_workspace.clients.test_http import MockHTTP
 from authentik.enterprise.providers.google_workspace.models import (
+    GoogleWorkspaceDeleteAction,
    GoogleWorkspaceProvider,
    GoogleWorkspaceProviderMapping,
    GoogleWorkspaceProviderUser,
@ -16,7 +17,6 @@ from authentik.enterprise.providers.google_workspace.models import (
 from authentik.enterprise.providers.google_workspace.tasks import google_workspace_sync
 from authentik.events.models import Event, EventAction
 from authentik.lib.generators import generate_id
-from authentik.lib.sync.outgoing.models import OutgoingSyncDeleteAction
 from authentik.lib.tests.utils import load_fixture
 from authentik.tenants.models import Tenant

@ -86,31 +86,6 @@ class GoogleWorkspaceUserTests(TestCase):
            self.assertFalse(Event.objects.filter(action=EventAction.SYSTEM_EXCEPTION).exists())
            self.assertEqual(len(http.requests()), 2)

-    def test_user_not_created(self):
-        """Test without property mappings, no group is created"""
-        self.provider.property_mappings.clear()
-        uid = generate_id()
-        http = MockHTTP()
-        http.add_response(
-            f"https://admin.googleapis.com/admin/directory/v1/customer/my_customer/domains?key={self.api_key}&alt=json",
-            domains_list_v1_mock,
-        )
-        with patch(
-            "authentik.enterprise.providers.google_workspace.models.GoogleWorkspaceProvider.google_credentials",
-            MagicMock(return_value={"developerKey": self.api_key, "http": http}),
-        ):
-            user = User.objects.create(
-                username=uid,
-                name=f"{uid} {uid}",
-                email=f"{uid}@goauthentik.io",
-            )
-            google_user = GoogleWorkspaceProviderUser.objects.filter(
-                provider=self.provider, user=user
-            ).first()
-            self.assertIsNone(google_user)
-            self.assertFalse(Event.objects.filter(action=EventAction.SYSTEM_EXCEPTION).exists())
-            self.assertEqual(len(http.requests()), 1)
-
    def test_user_create_update(self):
        """Test user updating"""
        uid = generate_id()
@ -185,7 +160,7 @@ class GoogleWorkspaceUserTests(TestCase):

    def test_user_create_delete_suspend(self):
        """Test user deletion (delete action = Suspend)"""
-        self.provider.user_delete_action = OutgoingSyncDeleteAction.SUSPEND
+        self.provider.user_delete_action = GoogleWorkspaceDeleteAction.SUSPEND
        self.provider.save()
        uid = generate_id()
        http = MockHTTP()
@ -234,7 +209,7 @@ class GoogleWorkspaceUserTests(TestCase):

    def test_user_create_delete_do_nothing(self):
        """Test user deletion (delete action = do nothing)"""
-        self.provider.user_delete_action = OutgoingSyncDeleteAction.DO_NOTHING
+        self.provider.user_delete_action = GoogleWorkspaceDeleteAction.DO_NOTHING
        self.provider.save()
        uid = generate_id()
        http = MockHTTP()
--- a/authentik/enterprise/providers/google_workspace/urls.py
+++ b/authentik/enterprise/providers/google_workspace/urls.py
@ -1,21 +1,11 @@
 """google provider urls"""

-from authentik.enterprise.providers.google_workspace.api.groups import (
-    GoogleWorkspaceProviderGroupViewSet,
-)
 from authentik.enterprise.providers.google_workspace.api.property_mappings import (
-    GoogleWorkspaceProviderMappingViewSet,
-)
-from authentik.enterprise.providers.google_workspace.api.providers import (
-    GoogleWorkspaceProviderViewSet,
-)
-from authentik.enterprise.providers.google_workspace.api.users import (
-    GoogleWorkspaceProviderUserViewSet,
+    GoogleProviderMappingViewSet,
 )
+from authentik.enterprise.providers.google_workspace.api.providers import GoogleProviderViewSet

 api_urlpatterns = [
-    ("providers/google_workspace", GoogleWorkspaceProviderViewSet),
-    ("providers/google_workspace_users", GoogleWorkspaceProviderUserViewSet),
-    ("providers/google_workspace_groups", GoogleWorkspaceProviderGroupViewSet),
-    ("propertymappings/provider/google_workspace", GoogleWorkspaceProviderMappingViewSet),
+    ("providers/google_workspace", GoogleProviderViewSet),
+    ("propertymappings/provider/google_workspace", GoogleProviderMappingViewSet),
 ]
--- a/authentik/enterprise/providers/microsoft_entra/init.py
+++ b/authentik/enterprise/providers/microsoft_entra/init.py
--- a/authentik/enterprise/providers/microsoft_entra/api/init.py
+++ b/authentik/enterprise/providers/microsoft_entra/api/init.py
--- a/authentik/enterprise/providers/microsoft_entra/api/groups.py
+++ b/authentik/enterprise/providers/microsoft_entra/api/groups.py
@ -1,47 +0,0 @@
-"""MicrosoftEntraProviderGroup API Views"""
-
-from rest_framework import mixins
-from rest_framework.viewsets import GenericViewSet
-
-from authentik.core.api.used_by import UsedByMixin
-from authentik.core.api.users import UserGroupSerializer
-from authentik.core.api.utils import ModelSerializer
-from authentik.enterprise.providers.microsoft_entra.models import MicrosoftEntraProviderGroup
-from authentik.lib.sync.outgoing.api import OutgoingSyncConnectionCreateMixin
-
-
-class MicrosoftEntraProviderGroupSerializer(ModelSerializer):
-    """MicrosoftEntraProviderGroup Serializer"""
-
-    group_obj = UserGroupSerializer(source="group", read_only=True)
-
-    class Meta:
-
-        model = MicrosoftEntraProviderGroup
-        fields = [
-            "id",
-            "microsoft_id",
-            "group",
-            "group_obj",
-            "provider",
-            "attributes",
-        ]
-        extra_kwargs = {"attributes": {"read_only": True}}
-
-
-class MicrosoftEntraProviderGroupViewSet(
-    mixins.CreateModelMixin,
-    OutgoingSyncConnectionCreateMixin,
-    mixins.RetrieveModelMixin,
-    mixins.DestroyModelMixin,
-    UsedByMixin,
-    mixins.ListModelMixin,
-    GenericViewSet,
-):
-    """MicrosoftEntraProviderGroup Viewset"""
-
-    queryset = MicrosoftEntraProviderGroup.objects.all().select_related("group")
-    serializer_class = MicrosoftEntraProviderGroupSerializer
-    filterset_fields = ["provider__id", "group__name", "group__group_uuid"]
-    search_fields = ["provider__name", "group__name"]
-    ordering = ["group__name"]
--- a/authentik/enterprise/providers/microsoft_entra/api/property_mappings.py
+++ b/authentik/enterprise/providers/microsoft_entra/api/property_mappings.py
@ -1,39 +0,0 @@
-"""microsoft Property mappings API Views"""
-
-from django_filters.filters import AllValuesMultipleFilter
-from django_filters.filterset import FilterSet
-from drf_spectacular.types import OpenApiTypes
-from drf_spectacular.utils import extend_schema_field
-from rest_framework.viewsets import ModelViewSet
-
-from authentik.core.api.property_mappings import PropertyMappingSerializer
-from authentik.core.api.used_by import UsedByMixin
-from authentik.enterprise.providers.microsoft_entra.models import MicrosoftEntraProviderMapping
-
-
-class MicrosoftEntraProviderMappingSerializer(PropertyMappingSerializer):
-    """MicrosoftEntraProviderMapping Serializer"""
-
-    class Meta:
-        model = MicrosoftEntraProviderMapping
-        fields = PropertyMappingSerializer.Meta.fields
-
-
-class MicrosoftEntraProviderMappingFilter(FilterSet):
-    """Filter for MicrosoftEntraProviderMapping"""
-
-    managed = extend_schema_field(OpenApiTypes.STR)(AllValuesMultipleFilter(field_name="managed"))
-
-    class Meta:
-        model = MicrosoftEntraProviderMapping
-        fields = "__all__"
-
-
-class MicrosoftEntraProviderMappingViewSet(UsedByMixin, ModelViewSet):
-    """MicrosoftEntraProviderMapping Viewset"""
-
-    queryset = MicrosoftEntraProviderMapping.objects.all()
-    serializer_class = MicrosoftEntraProviderMappingSerializer
-    filterset_class = MicrosoftEntraProviderMappingFilter
-    search_fields = ["name"]
-    ordering = ["name"]
--- a/authentik/enterprise/providers/microsoft_entra/api/providers.py
+++ b/authentik/enterprise/providers/microsoft_entra/api/providers.py
@ -1,52 +0,0 @@
-"""Microsoft Provider API Views"""
-
-from rest_framework.viewsets import ModelViewSet
-
-from authentik.core.api.providers import ProviderSerializer
-from authentik.core.api.used_by import UsedByMixin
-from authentik.enterprise.api import EnterpriseRequiredMixin
-from authentik.enterprise.providers.microsoft_entra.models import MicrosoftEntraProvider
-from authentik.enterprise.providers.microsoft_entra.tasks import microsoft_entra_sync
-from authentik.lib.sync.outgoing.api import OutgoingSyncProviderStatusMixin
-
-
-class MicrosoftEntraProviderSerializer(EnterpriseRequiredMixin, ProviderSerializer):
-    """MicrosoftEntraProvider Serializer"""
-
-    class Meta:
-        model = MicrosoftEntraProvider
-        fields = [
-            "pk",
-            "name",
-            "property_mappings",
-            "property_mappings_group",
-            "component",
-            "assigned_backchannel_application_slug",
-            "assigned_backchannel_application_name",
-            "verbose_name",
-            "verbose_name_plural",
-            "meta_model_name",
-            "client_id",
-            "client_secret",
-            "tenant_id",
-            "exclude_users_service_account",
-            "filter_group",
-            "user_delete_action",
-            "group_delete_action",
-        ]
-        extra_kwargs = {}
-
-
-class MicrosoftEntraProviderViewSet(OutgoingSyncProviderStatusMixin, UsedByMixin, ModelViewSet):
-    """MicrosoftEntraProvider Viewset"""
-
-    queryset = MicrosoftEntraProvider.objects.all()
-    serializer_class = MicrosoftEntraProviderSerializer
-    filterset_fields = [
-        "name",
-        "exclude_users_service_account",
-        "filter_group",
-    ]
-    search_fields = ["name"]
-    ordering = ["name"]
-    sync_single_task = microsoft_entra_sync
--- a/authentik/enterprise/providers/microsoft_entra/api/users.py
+++ b/authentik/enterprise/providers/microsoft_entra/api/users.py
@ -1,47 +0,0 @@
-"""MicrosoftEntraProviderUser API Views"""
-
-from rest_framework import mixins
-from rest_framework.viewsets import GenericViewSet
-
-from authentik.core.api.groups import GroupMemberSerializer
-from authentik.core.api.used_by import UsedByMixin
-from authentik.core.api.utils import ModelSerializer
-from authentik.enterprise.providers.microsoft_entra.models import MicrosoftEntraProviderUser
-from authentik.lib.sync.outgoing.api import OutgoingSyncConnectionCreateMixin
-
-
-class MicrosoftEntraProviderUserSerializer(ModelSerializer):
-    """MicrosoftEntraProviderUser Serializer"""
-
-    user_obj = GroupMemberSerializer(source="user", read_only=True)
-
-    class Meta:
-
-        model = MicrosoftEntraProviderUser
-        fields = [
-            "id",
-            "microsoft_id",
-            "user",
-            "user_obj",
-            "provider",
-            "attributes",
-        ]
-        extra_kwargs = {"attributes": {"read_only": True}}
-
-
-class MicrosoftEntraProviderUserViewSet(
-    OutgoingSyncConnectionCreateMixin,
-    mixins.CreateModelMixin,
-    mixins.RetrieveModelMixin,
-    mixins.DestroyModelMixin,
-    UsedByMixin,
-    mixins.ListModelMixin,
-    GenericViewSet,
-):
-    """MicrosoftEntraProviderUser Viewset"""
-
-    queryset = MicrosoftEntraProviderUser.objects.all().select_related("user")
-    serializer_class = MicrosoftEntraProviderUserSerializer
-    filterset_fields = ["provider__id", "user__username", "user__id"]
-    search_fields = ["provider__name", "user__username"]
-    ordering = ["user__username"]
--- a/authentik/enterprise/providers/microsoft_entra/apps.py
+++ b/authentik/enterprise/providers/microsoft_entra/apps.py
@ -1,9 +0,0 @@
-from authentik.enterprise.apps import EnterpriseConfig
-
-
-class AuthentikEnterpriseProviderMicrosoftEntraConfig(EnterpriseConfig):
-
-    name = "authentik.enterprise.providers.microsoft_entra"
-    label = "authentik_providers_microsoft_entra"
-    verbose_name = "authentik Enterprise.Providers.Microsoft Entra"
-    default = True
--- a/authentik/enterprise/providers/microsoft_entra/clients/init.py
+++ b/authentik/enterprise/providers/microsoft_entra/clients/init.py
--- a/authentik/enterprise/providers/microsoft_entra/clients/base.py
+++ b/authentik/enterprise/providers/microsoft_entra/clients/base.py
@ -1,110 +0,0 @@
-from asyncio import run
-from collections.abc import Coroutine
-from dataclasses import asdict
-from typing import Any
-
-from azure.core.exceptions import (
-    ClientAuthenticationError,
-    ServiceRequestError,
-    ServiceResponseError,
-)
-from azure.identity.aio import ClientSecretCredential
-from django.db.models import Model
-from django.http import HttpResponseBadRequest, HttpResponseNotFound
-from kiota_abstractions.api_error import APIError
-from kiota_authentication_azure.azure_identity_authentication_provider import (
-    AzureIdentityAuthenticationProvider,
-)
-from kiota_http.kiota_client_factory import KiotaClientFactory
-from msgraph.generated.models.entity import Entity
-from msgraph.generated.models.o_data_errors.o_data_error import ODataError
-from msgraph.graph_request_adapter import GraphRequestAdapter, options
-from msgraph.graph_service_client import GraphServiceClient
-from msgraph_core import GraphClientFactory
-
-from authentik.enterprise.providers.microsoft_entra.models import MicrosoftEntraProvider
-from authentik.events.utils import sanitize_item
-from authentik.lib.sync.outgoing import HTTP_CONFLICT
-from authentik.lib.sync.outgoing.base import BaseOutgoingSyncClient
-from authentik.lib.sync.outgoing.exceptions import (
-    BadRequestSyncException,
-    NotFoundSyncException,
-    ObjectExistsSyncException,
-    StopSync,
-    TransientSyncException,
-)
-
-
-def get_request_adapter(
-    credentials: ClientSecretCredential, scopes: list[str] | None = None
-) -> GraphRequestAdapter:
-    if scopes:
-        auth_provider = AzureIdentityAuthenticationProvider(credentials=credentials, scopes=scopes)
-    else:
-        auth_provider = AzureIdentityAuthenticationProvider(credentials=credentials)
-
-    return GraphRequestAdapter(
-        auth_provider=auth_provider,
-        client=GraphClientFactory.create_with_default_middleware(
-            options=options, client=KiotaClientFactory.get_default_client()
-        ),
-    )
-
-
-class MicrosoftEntraSyncClient[TModel: Model, TConnection: Model, TSchema: dict](
-    BaseOutgoingSyncClient[TModel, TConnection, TSchema, MicrosoftEntraProvider]
-):
-    """Base client for syncing to microsoft entra"""
-
-    domains: list
-
-    def __init__(self, provider: MicrosoftEntraProvider) -> None:
-        super().__init__(provider)
-        self.credentials = provider.microsoft_credentials()
-        self.__prefetch_domains()
-
-    @property
-    def client(self):
-        return GraphServiceClient(request_adapter=get_request_adapter(**self.credentials))
-
-    def _request[T](self, request: Coroutine[Any, Any, T]) -> T:
-        try:
-            return run(request)
-        except ClientAuthenticationError as exc:
-            raise StopSync(exc, None, None) from exc
-        except ODataError as exc:
-            raise StopSync(exc, None, None) from exc
-        except (ServiceRequestError, ServiceResponseError) as exc:
-            raise TransientSyncException("Failed to sent request") from exc
-        except APIError as exc:
-            if exc.response_status_code == HttpResponseNotFound.status_code:
-                raise NotFoundSyncException("Object not found") from exc
-            if exc.response_status_code == HttpResponseBadRequest.status_code:
-                raise BadRequestSyncException("Bad request", exc.response_headers) from exc
-            if exc.response_status_code == HTTP_CONFLICT:
-                raise ObjectExistsSyncException("Object exists", exc.response_headers) from exc
-            raise exc
-
-    def __prefetch_domains(self):
-        self.domains = []
-        organizations = self._request(self.client.organization.get())
-        next_link = True
-        while next_link:
-            for org in organizations.value:
-                self.domains.extend([x.name for x in org.verified_domains])
-            next_link = organizations.odata_next_link
-            if not next_link:
-                break
-            organizations = self._request(self.client.organization.with_url(next_link).get())
-
-    def check_email_valid(self, *emails: str):
-        for email in emails:
-            if not any(email.endswith(f"@{domain_name}") for domain_name in self.domains):
-                raise BadRequestSyncException(f"Invalid email domain: {email}")
-
-    def entity_as_dict(self, entity: Entity) -> dict:
-        """Create a dictionary of a model instance, making sure to remove (known) things
-        we can't JSON serialize"""
-        raw_data = asdict(entity)
-        raw_data.pop("backing_store", None)
-        return sanitize_item(raw_data)
--- a/authentik/enterprise/providers/microsoft_entra/clients/groups.py
+++ b/authentik/enterprise/providers/microsoft_entra/clients/groups.py
@ -1,232 +0,0 @@
-from deepmerge import always_merger
-from django.db import transaction
-from msgraph.generated.groups.groups_request_builder import GroupsRequestBuilder
-from msgraph.generated.models.group import Group as MSGroup
-from msgraph.generated.models.reference_create import ReferenceCreate
-
-from authentik.core.models import Group
-from authentik.enterprise.providers.microsoft_entra.clients.base import MicrosoftEntraSyncClient
-from authentik.enterprise.providers.microsoft_entra.models import (
-    MicrosoftEntraProvider,
-    MicrosoftEntraProviderGroup,
-    MicrosoftEntraProviderMapping,
-    MicrosoftEntraProviderUser,
-)
-from authentik.lib.sync.mapper import PropertyMappingManager
-from authentik.lib.sync.outgoing.base import Direction
-from authentik.lib.sync.outgoing.exceptions import (
-    NotFoundSyncException,
-    ObjectExistsSyncException,
-    StopSync,
-    TransientSyncException,
-)
-from authentik.lib.sync.outgoing.models import OutgoingSyncDeleteAction
-
-
-class MicrosoftEntraGroupClient(
-    MicrosoftEntraSyncClient[Group, MicrosoftEntraProviderGroup, MSGroup]
-):
-    """Microsoft client for groups"""
-
-    connection_type = MicrosoftEntraProviderGroup
-    connection_type_query = "group"
-    can_discover = True
-
-    def __init__(self, provider: MicrosoftEntraProvider) -> None:
-        super().__init__(provider)
-        self.mapper = PropertyMappingManager(
-            self.provider.property_mappings_group.all().order_by("name").select_subclasses(),
-            MicrosoftEntraProviderMapping,
-            ["group", "provider", "connection"],
-        )
-
-    def to_schema(self, obj: Group, connection: MicrosoftEntraProviderGroup) -> MSGroup:
-        """Convert authentik group"""
-        raw_microsoft_group = super().to_schema(obj, connection)
-        try:
-            return MSGroup(**raw_microsoft_group)
-        except TypeError as exc:
-            raise StopSync(exc, obj) from exc
-
-    def delete(self, obj: Group):
-        """Delete group"""
-        microsoft_group = MicrosoftEntraProviderGroup.objects.filter(
-            provider=self.provider, group=obj
-        ).first()
-        if not microsoft_group:
-            self.logger.debug("Group does not exist in Microsoft, skipping")
-            return None
-        with transaction.atomic():
-            if self.provider.group_delete_action == OutgoingSyncDeleteAction.DELETE:
-                self._request(self.client.groups.by_group_id(microsoft_group.microsoft_id).delete())
-            microsoft_group.delete()
-
-    def create(self, group: Group):
-        """Create group from scratch and create a connection object"""
-        microsoft_group = self.to_schema(group, None)
-        with transaction.atomic():
-            try:
-                response = self._request(self.client.groups.post(microsoft_group))
-            except ObjectExistsSyncException:
-                # group already exists in microsoft entra, so we can connect them manually
-                # for groups we need to fetch the group from microsoft as we connect on
-                # ID and not group email
-                query_params = GroupsRequestBuilder.GroupsRequestBuilderGetQueryParameters(
-                    filter=f"displayName eq '{microsoft_group.display_name}'",
-                )
-                request_configuration = (
-                    GroupsRequestBuilder.GroupsRequestBuilderGetRequestConfiguration(
-                        query_parameters=query_params,
-                    )
-                )
-                group_data = self._request(self.client.groups.get(request_configuration))
-                if group_data.odata_count < 1 or len(group_data.value) < 1:
-                    self.logger.warning(
-                        "Group which could not be created also does not exist", group=group
-                    )
-                    return
-                ms_group = group_data.value[0]
-                return MicrosoftEntraProviderGroup.objects.create(
-                    provider=self.provider,
-                    group=group,
-                    microsoft_id=ms_group.id,
-                    attributes=self.entity_as_dict(ms_group),
-                )
-            else:
-                return MicrosoftEntraProviderGroup.objects.create(
-                    provider=self.provider,
-                    group=group,
-                    microsoft_id=response.id,
-                    attributes=self.entity_as_dict(response),
-                )
-
-    def update(self, group: Group, connection: MicrosoftEntraProviderGroup):
-        """Update existing group"""
-        microsoft_group = self.to_schema(group, connection)
-        microsoft_group.id = connection.microsoft_id
-        try:
-            response = self._request(
-                self.client.groups.by_group_id(connection.microsoft_id).patch(microsoft_group)
-            )
-            if response:
-                always_merger.merge(connection.attributes, self.entity_as_dict(response))
-                connection.save()
-        except NotFoundSyncException:
-            # Resource missing is handled by self.write, which will re-create the group
-            raise
-
-    def write(self, obj: Group):
-        microsoft_group, created = super().write(obj)
-        self.create_sync_members(obj, microsoft_group)
-        return microsoft_group, created
-
-    def create_sync_members(self, obj: Group, microsoft_group: MicrosoftEntraProviderGroup):
-        """Sync all members after a group was created"""
-        users = list(obj.users.order_by("id").values_list("id", flat=True))
-        connections = MicrosoftEntraProviderUser.objects.filter(
-            provider=self.provider, user__pk__in=users
-        ).values_list("microsoft_id", flat=True)
-        self._patch(microsoft_group.microsoft_id, Direction.add, connections)
-
-    def update_group(self, group: Group, action: Direction, users_set: set[int]):
-        """Update a groups members"""
-        if action == Direction.add:
-            return self._patch_add_users(group, users_set)
-        if action == Direction.remove:
-            return self._patch_remove_users(group, users_set)
-
-    def _patch(self, microsoft_group_id: str, direction: Direction, members: list[str]):
-        for user in members:
-            try:
-                if direction == Direction.add:
-                    request_body = ReferenceCreate(
-                        odata_id=f"https://graph.microsoft.com/v1.0/directoryObjects/{user}",
-                    )
-                    self._request(
-                        self.client.groups.by_group_id(microsoft_group_id).members.ref.post(
-                            request_body
-                        )
-                    )
-                if direction == Direction.remove:
-                    self._request(
-                        self.client.groups.by_group_id(microsoft_group_id)
-                        .members.by_directory_object_id(user)
-                        .ref.delete()
-                    )
-            except ObjectExistsSyncException:
-                pass
-            except TransientSyncException:
-                raise
-
-    def _patch_add_users(self, group: Group, users_set: set[int]):
-        """Add users in users_set to group"""
-        if len(users_set) < 1:
-            return
-        microsoft_group = MicrosoftEntraProviderGroup.objects.filter(
-            provider=self.provider, group=group
-        ).first()
-        if not microsoft_group:
-            self.logger.warning(
-                "could not sync group membership, group does not exist", group=group
-            )
-            return
-        user_ids = list(
-            MicrosoftEntraProviderUser.objects.filter(
-                user__pk__in=users_set, provider=self.provider
-            ).values_list("microsoft_id", flat=True)
-        )
-        if len(user_ids) < 1:
-            return
-        self._patch(microsoft_group.microsoft_id, Direction.add, user_ids)
-
-    def _patch_remove_users(self, group: Group, users_set: set[int]):
-        """Remove users in users_set from group"""
-        if len(users_set) < 1:
-            return
-        microsoft_group = MicrosoftEntraProviderGroup.objects.filter(
-            provider=self.provider, group=group
-        ).first()
-        if not microsoft_group:
-            self.logger.warning(
-                "could not sync group membership, group does not exist", group=group
-            )
-            return
-        user_ids = list(
-            MicrosoftEntraProviderUser.objects.filter(
-                user__pk__in=users_set, provider=self.provider
-            ).values_list("microsoft_id", flat=True)
-        )
-        if len(user_ids) < 1:
-            return
-        self._patch(microsoft_group.microsoft_id, Direction.remove, user_ids)
-
-    def discover(self):
-        """Iterate through all groups and connect them with authentik groups if possible"""
-        groups = self._request(self.client.groups.get())
-        next_link = True
-        while next_link:
-            for group in groups.value:
-                self._discover_single_group(group)
-            next_link = groups.odata_next_link
-            if not next_link:
-                break
-            groups = self._request(self.client.groups.with_url(next_link).get())
-
-    def _discover_single_group(self, group: MSGroup):
-        """handle discovery of a single group"""
-        microsoft_name = group.unique_name
-        matching_authentik_group = (
-            self.provider.get_object_qs(Group).filter(name=microsoft_name).first()
-        )
-        if not matching_authentik_group:
-            return
-        MicrosoftEntraProviderGroup.objects.get_or_create(
-            provider=self.provider,
-            group=matching_authentik_group,
-            microsoft_id=group.id,
-            attributes=self.entity_as_dict(group),
-        )
-
-    def update_single_attribute(self, connection: MicrosoftEntraProviderGroup):
-        data = self._request(self.client.groups.by_group_id(connection.microsoft_id).get())
-        connection.attributes = self.entity_as_dict(data)
--- a/authentik/enterprise/providers/microsoft_entra/clients/users.py
+++ b/authentik/enterprise/providers/microsoft_entra/clients/users.py
@ -1,178 +0,0 @@
-from deepmerge import always_merger
-from django.db import transaction
-from msgraph.generated.models.user import User as MSUser
-from msgraph.generated.users.users_request_builder import UsersRequestBuilder
-
-from authentik.core.models import User
-from authentik.enterprise.providers.microsoft_entra.clients.base import MicrosoftEntraSyncClient
-from authentik.enterprise.providers.microsoft_entra.models import (
-    MicrosoftEntraProvider,
-    MicrosoftEntraProviderMapping,
-    MicrosoftEntraProviderUser,
-)
-from authentik.lib.sync.mapper import PropertyMappingManager
-from authentik.lib.sync.outgoing.exceptions import (
-    ObjectExistsSyncException,
-    StopSync,
-    TransientSyncException,
-)
-from authentik.lib.sync.outgoing.models import OutgoingSyncDeleteAction
-from authentik.policies.utils import delete_none_values
-
-
-class MicrosoftEntraUserClient(MicrosoftEntraSyncClient[User, MicrosoftEntraProviderUser, MSUser]):
-    """Sync authentik users into microsoft entra"""
-
-    connection_type = MicrosoftEntraProviderUser
-    connection_type_query = "user"
-    can_discover = True
-
-    def __init__(self, provider: MicrosoftEntraProvider) -> None:
-        super().__init__(provider)
-        self.mapper = PropertyMappingManager(
-            self.provider.property_mappings.all().order_by("name").select_subclasses(),
-            MicrosoftEntraProviderMapping,
-            ["provider", "connection"],
-        )
-
-    def to_schema(self, obj: User, connection: MicrosoftEntraProviderUser) -> MSUser:
-        """Convert authentik user"""
-        raw_microsoft_user = super().to_schema(obj, connection)
-        try:
-            return MSUser(**delete_none_values(raw_microsoft_user))
-        except TypeError as exc:
-            raise StopSync(exc, obj) from exc
-
-    def delete(self, obj: User):
-        """Delete user"""
-        microsoft_user = MicrosoftEntraProviderUser.objects.filter(
-            provider=self.provider, user=obj
-        ).first()
-        if not microsoft_user:
-            self.logger.debug("User does not exist in Microsoft, skipping")
-            return None
-        with transaction.atomic():
-            response = None
-            if self.provider.user_delete_action == OutgoingSyncDeleteAction.DELETE:
-                response = self._request(
-                    self.client.users.by_user_id(microsoft_user.microsoft_id).delete()
-                )
-            elif self.provider.user_delete_action == OutgoingSyncDeleteAction.SUSPEND:
-                response = self._request(
-                    self.client.users.by_user_id(microsoft_user.microsoft_id).patch(
-                        MSUser(account_enabled=False)
-                    )
-                )
-            microsoft_user.delete()
-        return response
-
-    def get_select_fields(self) -> list[str]:
-        """All fields that should be selected when we fetch user data."""
-        # TODO: Make this customizable in the future
-        return [
-            # Default fields
-            "businessPhones",
-            "displayName",
-            "givenName",
-            "jobTitle",
-            "mail",
-            "mobilePhone",
-            "officeLocation",
-            "preferredLanguage",
-            "surname",
-            "userPrincipalName",
-            "id",
-            # Required for logging into M365 using authentik
-            "onPremisesImmutableId",
-        ]
-
-    def create(self, user: User):
-        """Create user from scratch and create a connection object"""
-        microsoft_user = self.to_schema(user, None)
-        self.check_email_valid(microsoft_user.user_principal_name)
-        with transaction.atomic():
-            try:
-                response = self._request(self.client.users.post(microsoft_user))
-            except ObjectExistsSyncException:
-                # user already exists in microsoft entra, so we can connect them manually
-                request_configuration = (
-                    UsersRequestBuilder.UsersRequestBuilderGetRequestConfiguration(
-                        query_parameters=UsersRequestBuilder.UsersRequestBuilderGetQueryParameters(
-                            filter=f"mail eq '{microsoft_user.mail}'",
-                            select=self.get_select_fields(),
-                        ),
-                    )
-                )
-                user_data = self._request(self.client.users.get(request_configuration))
-                if user_data.odata_count < 1 or len(user_data.value) < 1:
-                    self.logger.warning(
-                        "User which could not be created also does not exist", user=user
-                    )
-                    return
-                ms_user = user_data.value[0]
-                return MicrosoftEntraProviderUser.objects.create(
-                    provider=self.provider,
-                    user=user,
-                    microsoft_id=ms_user.id,
-                    attributes=self.entity_as_dict(ms_user),
-                )
-            except TransientSyncException as exc:
-                raise exc
-            else:
-                return MicrosoftEntraProviderUser.objects.create(
-                    provider=self.provider,
-                    user=user,
-                    microsoft_id=response.id,
-                    attributes=self.entity_as_dict(response),
-                )
-
-    def update(self, user: User, connection: MicrosoftEntraProviderUser):
-        """Update existing user"""
-        microsoft_user = self.to_schema(user, connection)
-        self.check_email_valid(microsoft_user.user_principal_name)
-        response = self._request(
-            self.client.users.by_user_id(connection.microsoft_id).patch(microsoft_user)
-        )
-        if response:
-            always_merger.merge(connection.attributes, self.entity_as_dict(response))
-            connection.save()
-
-    def discover(self):
-        """Iterate through all users and connect them with authentik users if possible"""
-        request_configuration = UsersRequestBuilder.UsersRequestBuilderGetRequestConfiguration(
-            query_parameters=UsersRequestBuilder.UsersRequestBuilderGetQueryParameters(
-                select=self.get_select_fields(),
-            ),
-        )
-        users = self._request(self.client.users.get(request_configuration))
-        next_link = True
-        while next_link:
-            for user in users.value:
-                self._discover_single_user(user)
-            next_link = users.odata_next_link
-            if not next_link:
-                break
-            users = self._request(self.client.users.with_url(next_link).get())
-
-    def _discover_single_user(self, user: MSUser):
-        """handle discovery of a single user"""
-        matching_authentik_user = self.provider.get_object_qs(User).filter(email=user.mail).first()
-        if not matching_authentik_user:
-            return
-        MicrosoftEntraProviderUser.objects.get_or_create(
-            provider=self.provider,
-            user=matching_authentik_user,
-            microsoft_id=user.id,
-            attributes=self.entity_as_dict(user),
-        )
-
-    def update_single_attribute(self, connection: MicrosoftEntraProviderUser):
-        request_configuration = UsersRequestBuilder.UsersRequestBuilderGetRequestConfiguration(
-            query_parameters=UsersRequestBuilder.UsersRequestBuilderGetQueryParameters(
-                select=self.get_select_fields(),
-            ),
-        )
-        data = self._request(
-            self.client.users.by_user_id(connection.microsoft_id).get(request_configuration)
-        )
-        connection.attributes = self.entity_as_dict(data)
--- a/authentik/enterprise/providers/microsoft_entra/migrations/0001_initial.py
+++ b/authentik/enterprise/providers/microsoft_entra/migrations/0001_initial.py
@ -1,165 +0,0 @@
-# Generated by Django 5.0.6 on 2024-05-08 14:35
-
-import django.db.models.deletion
-import uuid
-from django.conf import settings
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-
-    initial = True
-
-    dependencies = [
-        ("authentik_core", "0035_alter_group_options_and_more"),
-        migrations.swappable_dependency(settings.AUTH_USER_MODEL),
-    ]
-
-    operations = [
-        migrations.CreateModel(
-            name="MicrosoftEntraProviderMapping",
-            fields=[
-                (
-                    "propertymapping_ptr",
-                    models.OneToOneField(
-                        auto_created=True,
-                        on_delete=django.db.models.deletion.CASCADE,
-                        parent_link=True,
-                        primary_key=True,
-                        serialize=False,
-                        to="authentik_core.propertymapping",
-                    ),
-                ),
-            ],
-            options={
-                "verbose_name": "Microsoft Entra Provider Mapping",
-                "verbose_name_plural": "Microsoft Entra Provider Mappings",
-            },
-            bases=("authentik_core.propertymapping",),
-        ),
-        migrations.CreateModel(
-            name="MicrosoftEntraProvider",
-            fields=[
-                (
-                    "provider_ptr",
-                    models.OneToOneField(
-                        auto_created=True,
-                        on_delete=django.db.models.deletion.CASCADE,
-                        parent_link=True,
-                        primary_key=True,
-                        serialize=False,
-                        to="authentik_core.provider",
-                    ),
-                ),
-                ("client_id", models.TextField()),
-                ("client_secret", models.TextField()),
-                ("tenant_id", models.TextField()),
-                ("exclude_users_service_account", models.BooleanField(default=False)),
-                (
-                    "user_delete_action",
-                    models.TextField(
-                        choices=[
-                            ("do_nothing", "Do Nothing"),
-                            ("delete", "Delete"),
-                            ("suspend", "Suspend"),
-                        ],
-                        default="delete",
-                    ),
-                ),
-                (
-                    "group_delete_action",
-                    models.TextField(
-                        choices=[
-                            ("do_nothing", "Do Nothing"),
-                            ("delete", "Delete"),
-                            ("suspend", "Suspend"),
-                        ],
-                        default="delete",
-                    ),
-                ),
-                (
-                    "filter_group",
-                    models.ForeignKey(
-                        default=None,
-                        null=True,
-                        on_delete=django.db.models.deletion.SET_DEFAULT,
-                        to="authentik_core.group",
-                    ),
-                ),
-                (
-                    "property_mappings_group",
-                    models.ManyToManyField(
-                        blank=True,
-                        default=None,
-                        help_text="Property mappings used for group creation/updating.",
-                        to="authentik_core.propertymapping",
-                    ),
-                ),
-            ],
-            options={
-                "verbose_name": "Microsoft Entra Provider",
-                "verbose_name_plural": "Microsoft Entra Providers",
-            },
-            bases=("authentik_core.provider", models.Model),
-        ),
-        migrations.CreateModel(
-            name="MicrosoftEntraProviderGroup",
-            fields=[
-                (
-                    "id",
-                    models.UUIDField(
-                        default=uuid.uuid4, editable=False, primary_key=True, serialize=False
-                    ),
-                ),
-                ("microsoft_id", models.TextField()),
-                (
-                    "group",
-                    models.ForeignKey(
-                        on_delete=django.db.models.deletion.CASCADE, to="authentik_core.group"
-                    ),
-                ),
-                (
-                    "provider",
-                    models.ForeignKey(
-                        on_delete=django.db.models.deletion.CASCADE,
-                        to="authentik_providers_microsoft_entra.microsoftentraprovider",
-                    ),
-                ),
-            ],
-            options={
-                "verbose_name": "Microsoft Entra Provider Group",
-                "verbose_name_plural": "Microsoft Entra Provider Groups",
-                "unique_together": {("microsoft_id", "group", "provider")},
-            },
-        ),
-        migrations.CreateModel(
-            name="MicrosoftEntraProviderUser",
-            fields=[
-                (
-                    "id",
-                    models.UUIDField(
-                        default=uuid.uuid4, editable=False, primary_key=True, serialize=False
-                    ),
-                ),
-                ("microsoft_id", models.TextField()),
-                (
-                    "provider",
-                    models.ForeignKey(
-                        on_delete=django.db.models.deletion.CASCADE,
-                        to="authentik_providers_microsoft_entra.microsoftentraprovider",
-                    ),
-                ),
-                (
-                    "user",
-                    models.ForeignKey(
-                        on_delete=django.db.models.deletion.CASCADE, to=settings.AUTH_USER_MODEL
-                    ),
-                ),
-            ],
-            options={
-                "verbose_name": "Microsoft Entra Provider User",
-                "verbose_name_plural": "Microsoft Entra Provider User",
-                "unique_together": {("microsoft_id", "user", "provider")},
-            },
-        ),
-    ]
--- a/authentik/enterprise/providers/microsoft_entra/migrations/0002_microsoftentraprovidergroup_attributes_and_more.py
+++ b/authentik/enterprise/providers/microsoft_entra/migrations/0002_microsoftentraprovidergroup_attributes_and_more.py
@ -1,23 +0,0 @@
-# Generated by Django 5.0.6 on 2024-05-23 20:48
-
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ("authentik_providers_microsoft_entra", "0001_initial"),
-    ]
-
-    operations = [
-        migrations.AddField(
-            model_name="microsoftentraprovidergroup",
-            name="attributes",
-            field=models.JSONField(default=dict),
-        ),
-        migrations.AddField(
-            model_name="microsoftentraprovideruser",
-            name="attributes",
-            field=models.JSONField(default=dict),
-        ),
-    ]
--- a/authentik/enterprise/providers/microsoft_entra/migrations/init.py
+++ b/authentik/enterprise/providers/microsoft_entra/migrations/init.py
--- a/authentik/enterprise/providers/microsoft_entra/models.py
+++ b/authentik/enterprise/providers/microsoft_entra/models.py
@ -1,188 +0,0 @@
-"""Microsoft Entra sync provider"""
-
-from typing import Any, Self
-from uuid import uuid4
-
-from azure.identity.aio import ClientSecretCredential
-from django.db import models
-from django.db.models import QuerySet
-from django.templatetags.static import static
-from django.utils.translation import gettext_lazy as _
-from rest_framework.serializers import Serializer
-
-from authentik.core.models import (
-    BackchannelProvider,
-    Group,
-    PropertyMapping,
-    User,
-    UserTypes,
-)
-from authentik.lib.models import SerializerModel
-from authentik.lib.sync.outgoing.base import BaseOutgoingSyncClient
-from authentik.lib.sync.outgoing.models import OutgoingSyncDeleteAction, OutgoingSyncProvider
-
-
-class MicrosoftEntraProviderUser(SerializerModel):
-    """Mapping of a user and provider to a Microsoft user ID"""
-
-    id = models.UUIDField(primary_key=True, editable=False, default=uuid4)
-    microsoft_id = models.TextField()
-    user = models.ForeignKey(User, on_delete=models.CASCADE)
-    provider = models.ForeignKey("MicrosoftEntraProvider", on_delete=models.CASCADE)
-    attributes = models.JSONField(default=dict)
-
-    @property
-    def serializer(self) -> type[Serializer]:
-        from authentik.enterprise.providers.microsoft_entra.api.users import (
-            MicrosoftEntraProviderUserSerializer,
-        )
-
-        return MicrosoftEntraProviderUserSerializer
-
-    class Meta:
-        verbose_name = _("Microsoft Entra Provider User")
-        verbose_name_plural = _("Microsoft Entra Provider User")
-        unique_together = (("microsoft_id", "user", "provider"),)
-
-    def __str__(self) -> str:
-        return f"Microsoft Entra Provider User {self.user_id} to {self.provider_id}"
-
-
-class MicrosoftEntraProviderGroup(SerializerModel):
-    """Mapping of a group and provider to a Microsoft group ID"""
-
-    id = models.UUIDField(primary_key=True, editable=False, default=uuid4)
-    microsoft_id = models.TextField()
-    group = models.ForeignKey(Group, on_delete=models.CASCADE)
-    provider = models.ForeignKey("MicrosoftEntraProvider", on_delete=models.CASCADE)
-    attributes = models.JSONField(default=dict)
-
-    @property
-    def serializer(self) -> type[Serializer]:
-        from authentik.enterprise.providers.microsoft_entra.api.groups import (
-            MicrosoftEntraProviderGroupSerializer,
-        )
-
-        return MicrosoftEntraProviderGroupSerializer
-
-    class Meta:
-        verbose_name = _("Microsoft Entra Provider Group")
-        verbose_name_plural = _("Microsoft Entra Provider Groups")
-        unique_together = (("microsoft_id", "group", "provider"),)
-
-    def __str__(self) -> str:
-        return f"Microsoft Entra Provider Group {self.group_id} to {self.provider_id}"
-
-
-class MicrosoftEntraProvider(OutgoingSyncProvider, BackchannelProvider):
-    """Sync users from authentik into Microsoft Entra."""
-
-    client_id = models.TextField()
-    client_secret = models.TextField()
-    tenant_id = models.TextField()
-
-    exclude_users_service_account = models.BooleanField(default=False)
-    user_delete_action = models.TextField(
-        choices=OutgoingSyncDeleteAction.choices, default=OutgoingSyncDeleteAction.DELETE
-    )
-    group_delete_action = models.TextField(
-        choices=OutgoingSyncDeleteAction.choices, default=OutgoingSyncDeleteAction.DELETE
-    )
-    filter_group = models.ForeignKey(
-        "authentik_core.group", on_delete=models.SET_DEFAULT, default=None, null=True
-    )
-
-    property_mappings_group = models.ManyToManyField(
-        PropertyMapping,
-        default=None,
-        blank=True,
-        help_text=_("Property mappings used for group creation/updating."),
-    )
-
-    def client_for_model(
-        self,
-        model: type[User | Group | MicrosoftEntraProviderUser | MicrosoftEntraProviderGroup],
-    ) -> BaseOutgoingSyncClient[User | Group, Any, Any, Self]:
-        if issubclass(model, User | MicrosoftEntraProviderUser):
-            from authentik.enterprise.providers.microsoft_entra.clients.users import (
-                MicrosoftEntraUserClient,
-            )
-
-            return MicrosoftEntraUserClient(self)
-        if issubclass(model, Group | MicrosoftEntraProviderGroup):
-            from authentik.enterprise.providers.microsoft_entra.clients.groups import (
-                MicrosoftEntraGroupClient,
-            )
-
-            return MicrosoftEntraGroupClient(self)
-        raise ValueError(f"Invalid model {model}")
-
-    def get_object_qs(self, type: type[User | Group]) -> QuerySet[User | Group]:
-        if type == User:
-            # Get queryset of all users with consistent ordering
-            # according to the provider's settings
-            base = User.objects.all().exclude_anonymous()
-            if self.exclude_users_service_account:
-                base = base.exclude(type=UserTypes.SERVICE_ACCOUNT).exclude(
-                    type=UserTypes.INTERNAL_SERVICE_ACCOUNT
-                )
-            if self.filter_group:
-                base = base.filter(ak_groups__in=[self.filter_group])
-            return base.order_by("pk")
-        if type == Group:
-            # Get queryset of all groups with consistent ordering
-            return Group.objects.all().order_by("pk")
-        raise ValueError(f"Invalid type {type}")
-
-    def microsoft_credentials(self):
-        return {
-            "credentials": ClientSecretCredential(
-                self.tenant_id, self.client_id, self.client_secret
-            )
-        }
-
-    @property
-    def icon_url(self) -> str | None:
-        return static("authentik/sources/azuread.svg")
-
-    @property
-    def component(self) -> str:
-        return "ak-provider-microsoft-entra-form"
-
-    @property
-    def serializer(self) -> type[Serializer]:
-        from authentik.enterprise.providers.microsoft_entra.api.providers import (
-            MicrosoftEntraProviderSerializer,
-        )
-
-        return MicrosoftEntraProviderSerializer
-
-    def __str__(self):
-        return f"Microsoft Entra Provider {self.name}"
-
-    class Meta:
-        verbose_name = _("Microsoft Entra Provider")
-        verbose_name_plural = _("Microsoft Entra Providers")
-
-
-class MicrosoftEntraProviderMapping(PropertyMapping):
-    """Map authentik data to outgoing Microsoft requests"""
-
-    @property
-    def component(self) -> str:
-        return "ak-property-mapping-microsoft-entra-form"
-
-    @property
-    def serializer(self) -> type[Serializer]:
-        from authentik.enterprise.providers.microsoft_entra.api.property_mappings import (
-            MicrosoftEntraProviderMappingSerializer,
-        )
-
-        return MicrosoftEntraProviderMappingSerializer
-
-    def __str__(self):
-        return f"Microsoft Entra Provider Mapping {self.name}"
-
-    class Meta:
-        verbose_name = _("Microsoft Entra Provider Mapping")
-        verbose_name_plural = _("Microsoft Entra Provider Mappings")
--- a/authentik/enterprise/providers/microsoft_entra/settings.py
+++ b/authentik/enterprise/providers/microsoft_entra/settings.py
@ -1,13 +0,0 @@
-"""Microsoft Entra provider task Settings"""
-
-from celery.schedules import crontab
-
-from authentik.lib.utils.time import fqdn_rand
-
-CELERY_BEAT_SCHEDULE = {
-    "providers_microsoft_entra_sync": {
-        "task": "authentik.enterprise.providers.microsoft_entra.tasks.microsoft_entra_sync_all",
-        "schedule": crontab(minute=fqdn_rand("microsoft_entra_sync_all"), hour="*/4"),
-        "options": {"queue": "authentik_scheduled"},
-    },
-}
--- a/authentik/enterprise/providers/microsoft_entra/signals.py
+++ b/authentik/enterprise/providers/microsoft_entra/signals.py
@ -1,16 +0,0 @@
-"""Microsoft provider signals"""
-
-from authentik.enterprise.providers.microsoft_entra.models import MicrosoftEntraProvider
-from authentik.enterprise.providers.microsoft_entra.tasks import (
-    microsoft_entra_sync,
-    microsoft_entra_sync_direct,
-    microsoft_entra_sync_m2m,
-)
-from authentik.lib.sync.outgoing.signals import register_signals
-
-register_signals(
-    MicrosoftEntraProvider,
-    task_sync_single=microsoft_entra_sync,
-    task_sync_direct=microsoft_entra_sync_direct,
-    task_sync_m2m=microsoft_entra_sync_m2m,
-)
--- a/authentik/enterprise/providers/microsoft_entra/tasks.py
+++ b/authentik/enterprise/providers/microsoft_entra/tasks.py
@ -1,37 +0,0 @@
-"""Microsoft Entra Provider tasks"""
-
-from authentik.enterprise.providers.microsoft_entra.models import MicrosoftEntraProvider
-from authentik.events.system_tasks import SystemTask
-from authentik.lib.sync.outgoing.exceptions import TransientSyncException
-from authentik.lib.sync.outgoing.tasks import SyncTasks
-from authentik.root.celery import CELERY_APP
-
-sync_tasks = SyncTasks(MicrosoftEntraProvider)
-
-
-@CELERY_APP.task(autoretry_for=(TransientSyncException,), retry_backoff=True)
-def microsoft_entra_sync_objects(*args, **kwargs):
-    return sync_tasks.sync_objects(*args, **kwargs)
-
-
-@CELERY_APP.task(
-    base=SystemTask, bind=True, autoretry_for=(TransientSyncException,), retry_backoff=True
-)
-def microsoft_entra_sync(self, provider_pk: int, *args, **kwargs):
-    """Run full sync for Microsoft Entra provider"""
-    return sync_tasks.sync_single(self, provider_pk, microsoft_entra_sync_objects)
-
-
-@CELERY_APP.task()
-def microsoft_entra_sync_all():
-    return sync_tasks.sync_all(microsoft_entra_sync)
-
-
-@CELERY_APP.task(autoretry_for=(TransientSyncException,), retry_backoff=True)
-def microsoft_entra_sync_direct(*args, **kwargs):
-    return sync_tasks.sync_signal_direct(*args, **kwargs)
-
-
-@CELERY_APP.task(autoretry_for=(TransientSyncException,), retry_backoff=True)
-def microsoft_entra_sync_m2m(*args, **kwargs):
-    return sync_tasks.sync_signal_m2m(*args, **kwargs)
--- a/authentik/enterprise/providers/microsoft_entra/tests/init.py
+++ b/authentik/enterprise/providers/microsoft_entra/tests/init.py
--- a/authentik/enterprise/providers/microsoft_entra/tests/test_groups.py
+++ b/authentik/enterprise/providers/microsoft_entra/tests/test_groups.py
@ -1,424 +0,0 @@
-"""Microsoft Entra Group tests"""
-
-from unittest.mock import AsyncMock, MagicMock, patch
-
-from azure.identity.aio import ClientSecretCredential
-from django.test import TestCase
-from msgraph.generated.models.group import Group as MSGroup
-from msgraph.generated.models.group_collection_response import GroupCollectionResponse
-from msgraph.generated.models.organization import Organization
-from msgraph.generated.models.organization_collection_response import OrganizationCollectionResponse
-from msgraph.generated.models.user import User as MSUser
-from msgraph.generated.models.user_collection_response import UserCollectionResponse
-from msgraph.generated.models.verified_domain import VerifiedDomain
-
-from authentik.blueprints.tests import apply_blueprint
-from authentik.core.models import Application, Group, User
-from authentik.core.tests.utils import create_test_user
-from authentik.enterprise.providers.microsoft_entra.models import (
-    MicrosoftEntraProvider,
-    MicrosoftEntraProviderGroup,
-    MicrosoftEntraProviderMapping,
-    MicrosoftEntraProviderUser,
-)
-from authentik.enterprise.providers.microsoft_entra.tasks import microsoft_entra_sync
-from authentik.events.models import Event, EventAction
-from authentik.lib.generators import generate_id
-from authentik.lib.sync.outgoing.models import OutgoingSyncDeleteAction
-from authentik.tenants.models import Tenant
-
-
-class MicrosoftEntraGroupTests(TestCase):
-    """Microsoft Entra Group tests"""
-
-    @apply_blueprint("system/providers-microsoft-entra.yaml")
-    def setUp(self) -> None:
-        # Delete all groups and groups as the mocked HTTP responses only return one ID
-        # which will cause errors with multiple groups
-        Tenant.objects.update(avatars="none")
-        User.objects.all().exclude_anonymous().delete()
-        Group.objects.all().delete()
-        self.provider: MicrosoftEntraProvider = MicrosoftEntraProvider.objects.create(
-            name=generate_id(),
-            client_id=generate_id(),
-            client_secret=generate_id(),
-            tenant_id=generate_id(),
-            exclude_users_service_account=True,
-        )
-        self.app: Application = Application.objects.create(
-            name=generate_id(),
-            slug=generate_id(),
-        )
-        self.app.backchannel_providers.add(self.provider)
-        self.provider.property_mappings.add(
-            MicrosoftEntraProviderMapping.objects.get(
-                managed="goauthentik.io/providers/microsoft_entra/user"
-            )
-        )
-        self.provider.property_mappings_group.add(
-            MicrosoftEntraProviderMapping.objects.get(
-                managed="goauthentik.io/providers/microsoft_entra/group"
-            )
-        )
-        self.creds = ClientSecretCredential(generate_id(), generate_id(), generate_id())
-
-    def test_group_create(self):
-        """Test group creation"""
-        uid = generate_id()
-        with (
-            patch(
-                "authentik.enterprise.providers.microsoft_entra.models.MicrosoftEntraProvider.microsoft_credentials",
-                MagicMock(return_value={"credentials": self.creds}),
-            ),
-            patch(
-                "msgraph.generated.organization.organization_request_builder.OrganizationRequestBuilder.get",
-                AsyncMock(
-                    return_value=OrganizationCollectionResponse(
-                        value=[
-                            Organization(verified_domains=[VerifiedDomain(name="goauthentik.io")])
-                        ]
-                    )
-                ),
-            ),
-            patch(
-                "msgraph.generated.groups.groups_request_builder.GroupsRequestBuilder.post",
-                AsyncMock(return_value=MSGroup(id=generate_id())),
-            ) as group_create,
-        ):
-            group = Group.objects.create(name=uid)
-            microsoft_group = MicrosoftEntraProviderGroup.objects.filter(
-                provider=self.provider, group=group
-            ).first()
-            self.assertIsNotNone(microsoft_group)
-            self.assertFalse(Event.objects.filter(action=EventAction.SYSTEM_EXCEPTION).exists())
-            group_create.assert_called_once()
-
-    def test_group_not_created(self):
-        """Test without group property mappings, no group is created"""
-        self.provider.property_mappings_group.clear()
-        uid = generate_id()
-        with (
-            patch(
-                "authentik.enterprise.providers.microsoft_entra.models.MicrosoftEntraProvider.microsoft_credentials",
-                MagicMock(return_value={"credentials": self.creds}),
-            ),
-            patch(
-                "msgraph.generated.organization.organization_request_builder.OrganizationRequestBuilder.get",
-                AsyncMock(
-                    return_value=OrganizationCollectionResponse(
-                        value=[
-                            Organization(verified_domains=[VerifiedDomain(name="goauthentik.io")])
-                        ]
-                    )
-                ),
-            ),
-            patch(
-                "msgraph.generated.groups.groups_request_builder.GroupsRequestBuilder.post",
-                AsyncMock(return_value=MSGroup(id=generate_id())),
-            ) as group_create,
-        ):
-            group = Group.objects.create(name=uid)
-            microsoft_group = MicrosoftEntraProviderGroup.objects.filter(
-                provider=self.provider, group=group
-            ).first()
-            self.assertIsNone(microsoft_group)
-            self.assertFalse(Event.objects.filter(action=EventAction.SYSTEM_EXCEPTION).exists())
-            group_create.assert_not_called()
-
-    def test_group_create_update(self):
-        """Test group updating"""
-        uid = generate_id()
-        ext_id = generate_id()
-        with (
-            patch(
-                "authentik.enterprise.providers.microsoft_entra.models.MicrosoftEntraProvider.microsoft_credentials",
-                MagicMock(return_value={"credentials": self.creds}),
-            ),
-            patch(
-                "msgraph.generated.organization.organization_request_builder.OrganizationRequestBuilder.get",
-                AsyncMock(
-                    return_value=OrganizationCollectionResponse(
-                        value=[
-                            Organization(verified_domains=[VerifiedDomain(name="goauthentik.io")])
-                        ]
-                    )
-                ),
-            ),
-            patch(
-                "msgraph.generated.groups.groups_request_builder.GroupsRequestBuilder.post",
-                AsyncMock(return_value=MSGroup(id=ext_id)),
-            ) as group_create,
-            patch(
-                "msgraph.generated.groups.item.group_item_request_builder.GroupItemRequestBuilder.patch",
-                AsyncMock(return_value=MSGroup(id=ext_id)),
-            ) as group_patch,
-        ):
-            group = Group.objects.create(name=uid)
-            microsoft_group = MicrosoftEntraProviderGroup.objects.filter(
-                provider=self.provider, group=group
-            ).first()
-            self.assertIsNotNone(microsoft_group)
-
-            group.name = "new name"
-            group.save()
-            self.assertFalse(Event.objects.filter(action=EventAction.SYSTEM_EXCEPTION).exists())
-            group_create.assert_called_once()
-            group_patch.assert_called_once()
-
-    def test_group_create_delete(self):
-        """Test group deletion"""
-        uid = generate_id()
-        ext_id = generate_id()
-        with (
-            patch(
-                "msgraph.generated.organization.organization_request_builder.OrganizationRequestBuilder.get",
-                AsyncMock(
-                    return_value=OrganizationCollectionResponse(
-                        value=[
-                            Organization(verified_domains=[VerifiedDomain(name="goauthentik.io")])
-                        ]
-                    )
-                ),
-            ),
-            patch(
-                "authentik.enterprise.providers.microsoft_entra.models.MicrosoftEntraProvider.microsoft_credentials",
-                MagicMock(return_value={"credentials": self.creds}),
-            ),
-            patch(
-                "msgraph.generated.groups.groups_request_builder.GroupsRequestBuilder.post",
-                AsyncMock(return_value=MSGroup(id=ext_id)),
-            ) as group_create,
-            patch(
-                "msgraph.generated.groups.item.group_item_request_builder.GroupItemRequestBuilder.delete",
-                AsyncMock(return_value=MSGroup(id=ext_id)),
-            ) as group_delete,
-        ):
-            group = Group.objects.create(name=uid)
-            microsoft_group = MicrosoftEntraProviderGroup.objects.filter(
-                provider=self.provider, group=group
-            ).first()
-            self.assertIsNotNone(microsoft_group)
-
-            group.delete()
-            self.assertFalse(Event.objects.filter(action=EventAction.SYSTEM_EXCEPTION).exists())
-            group_create.assert_called_once()
-            group_delete.assert_called_once()
-
-    def test_group_create_member_add(self):
-        """Test group creation"""
-        uid = generate_id()
-        with (
-            patch(
-                "authentik.enterprise.providers.microsoft_entra.models.MicrosoftEntraProvider.microsoft_credentials",
-                MagicMock(return_value={"credentials": self.creds}),
-            ),
-            patch(
-                "msgraph.generated.organization.organization_request_builder.OrganizationRequestBuilder.get",
-                AsyncMock(
-                    return_value=OrganizationCollectionResponse(
-                        value=[
-                            Organization(verified_domains=[VerifiedDomain(name="goauthentik.io")])
-                        ]
-                    )
-                ),
-            ),
-            patch(
-                "msgraph.generated.users.users_request_builder.UsersRequestBuilder.post",
-                AsyncMock(return_value=MSUser(id=generate_id())),
-            ) as user_create,
-            patch(
-                "msgraph.generated.users.item.user_item_request_builder.UserItemRequestBuilder.patch",
-                AsyncMock(return_value=MSUser(id=generate_id())),
-            ),
-            patch(
-                "msgraph.generated.groups.groups_request_builder.GroupsRequestBuilder.post",
-                AsyncMock(return_value=MSGroup(id=uid)),
-            ) as group_create,
-            patch(
-                "msgraph.generated.groups.item.members.ref.ref_request_builder.RefRequestBuilder.post",
-                AsyncMock(),
-            ) as member_add,
-        ):
-            user = create_test_user(uid)
-            group = Group.objects.create(name=uid)
-            group.users.add(user)
-            microsoft_group = MicrosoftEntraProviderGroup.objects.filter(
-                provider=self.provider, group=group
-            ).first()
-            self.assertIsNotNone(microsoft_group)
-            self.assertFalse(Event.objects.filter(action=EventAction.SYSTEM_EXCEPTION).exists())
-            user_create.assert_called_once()
-            group_create.assert_called_once()
-            member_add.assert_called_once()
-            self.assertEqual(
-                member_add.call_args[0][0].odata_id,
-                f"https://graph.microsoft.com/v1.0/directoryObjects/{MicrosoftEntraProviderUser.objects.filter(
-                        provider=self.provider,
-                    ).first().microsoft_id}",
-            )
-
-    def test_group_create_member_remove(self):
-        """Test group creation"""
-        uid = generate_id()
-        with (
-            patch(
-                "authentik.enterprise.providers.microsoft_entra.models.MicrosoftEntraProvider.microsoft_credentials",
-                MagicMock(return_value={"credentials": self.creds}),
-            ),
-            patch(
-                "msgraph.generated.organization.organization_request_builder.OrganizationRequestBuilder.get",
-                AsyncMock(
-                    return_value=OrganizationCollectionResponse(
-                        value=[
-                            Organization(verified_domains=[VerifiedDomain(name="goauthentik.io")])
-                        ]
-                    )
-                ),
-            ),
-            patch(
-                "msgraph.generated.users.users_request_builder.UsersRequestBuilder.post",
-                AsyncMock(return_value=MSUser(id=generate_id())),
-            ) as user_create,
-            patch(
-                "msgraph.generated.users.item.user_item_request_builder.UserItemRequestBuilder.patch",
-                AsyncMock(return_value=MSUser(id=generate_id())),
-            ),
-            patch(
-                "msgraph.generated.groups.groups_request_builder.GroupsRequestBuilder.post",
-                AsyncMock(return_value=MSGroup(id=uid)),
-            ) as group_create,
-            patch(
-                "msgraph.generated.groups.item.members.ref.ref_request_builder.RefRequestBuilder.post",
-                AsyncMock(),
-            ) as member_add,
-            patch(
-                "msgraph.generated.groups.item.members.item.ref.ref_request_builder.RefRequestBuilder.delete",
-                AsyncMock(),
-            ) as member_remove,
-        ):
-            user = create_test_user(uid)
-            group = Group.objects.create(name=uid)
-            group.users.add(user)
-            microsoft_group = MicrosoftEntraProviderGroup.objects.filter(
-                provider=self.provider, group=group
-            ).first()
-            self.assertIsNotNone(microsoft_group)
-            group.users.remove(user)
-
-            self.assertFalse(Event.objects.filter(action=EventAction.SYSTEM_EXCEPTION).exists())
-            user_create.assert_called_once()
-            group_create.assert_called_once()
-            member_add.assert_called_once()
-            self.assertEqual(
-                member_add.call_args[0][0].odata_id,
-                f"https://graph.microsoft.com/v1.0/directoryObjects/{MicrosoftEntraProviderUser.objects.filter(
-                        provider=self.provider,
-                    ).first().microsoft_id}",
-            )
-            member_remove.assert_called_once()
-
-    def test_group_create_delete_do_nothing(self):
-        """Test group deletion (delete action = do nothing)"""
-        self.provider.group_delete_action = OutgoingSyncDeleteAction.DO_NOTHING
-        self.provider.save()
-        uid = generate_id()
-        with (
-            patch(
-                "authentik.enterprise.providers.microsoft_entra.models.MicrosoftEntraProvider.microsoft_credentials",
-                MagicMock(return_value={"credentials": self.creds}),
-            ),
-            patch(
-                "msgraph.generated.organization.organization_request_builder.OrganizationRequestBuilder.get",
-                AsyncMock(
-                    return_value=OrganizationCollectionResponse(
-                        value=[
-                            Organization(verified_domains=[VerifiedDomain(name="goauthentik.io")])
-                        ]
-                    )
-                ),
-            ),
-            patch(
-                "msgraph.generated.groups.groups_request_builder.GroupsRequestBuilder.post",
-                AsyncMock(return_value=MSGroup(id=uid)),
-            ) as group_create,
-            patch(
-                "msgraph.generated.groups.item.group_item_request_builder.GroupItemRequestBuilder.delete",
-                AsyncMock(return_value=MSGroup(id=uid)),
-            ) as group_delete,
-        ):
-            group = Group.objects.create(name=uid)
-            microsoft_group = MicrosoftEntraProviderGroup.objects.filter(
-                provider=self.provider, group=group
-            ).first()
-            self.assertIsNotNone(microsoft_group)
-
-            group.delete()
-            self.assertFalse(
-                MicrosoftEntraProviderGroup.objects.filter(
-                    provider=self.provider, group__name=uid
-                ).exists()
-            )
-            group_create.assert_called_once()
-            group_delete.assert_not_called()
-
-    def test_sync_task(self):
-        """Test group discovery"""
-        uid = generate_id()
-        self.app.backchannel_providers.remove(self.provider)
-        different_group = Group.objects.create(
-            name=uid,
-        )
-        self.app.backchannel_providers.add(self.provider)
-        with (
-            patch(
-                "authentik.enterprise.providers.microsoft_entra.models.MicrosoftEntraProvider.microsoft_credentials",
-                MagicMock(return_value={"credentials": self.creds}),
-            ),
-            patch(
-                "msgraph.generated.organization.organization_request_builder.OrganizationRequestBuilder.get",
-                AsyncMock(
-                    return_value=OrganizationCollectionResponse(
-                        value=[
-                            Organization(verified_domains=[VerifiedDomain(name="goauthentik.io")])
-                        ]
-                    )
-                ),
-            ),
-            patch(
-                "msgraph.generated.users.item.user_item_request_builder.UserItemRequestBuilder.patch",
-                AsyncMock(return_value=MSUser(id=generate_id())),
-            ),
-            patch(
-                "msgraph.generated.groups.groups_request_builder.GroupsRequestBuilder.post",
-                AsyncMock(return_value=MSGroup(id=generate_id())),
-            ),
-            patch(
-                "msgraph.generated.groups.item.group_item_request_builder.GroupItemRequestBuilder.patch",
-                AsyncMock(return_value=MSGroup(id=uid)),
-            ),
-            patch(
-                "msgraph.generated.users.users_request_builder.UsersRequestBuilder.get",
-                AsyncMock(
-                    return_value=UserCollectionResponse(
-                        value=[MSUser(mail=f"{uid}@goauthentik.io", id=uid)]
-                    )
-                ),
-            ) as user_list,
-            patch(
-                "msgraph.generated.groups.groups_request_builder.GroupsRequestBuilder.get",
-                AsyncMock(
-                    return_value=GroupCollectionResponse(
-                        value=[MSGroup(display_name=uid, unique_name=uid, id=uid)]
-                    )
-                ),
-            ) as group_list,
-        ):
-            microsoft_entra_sync.delay(self.provider.pk).get()
-            self.assertTrue(
-                MicrosoftEntraProviderGroup.objects.filter(
-                    group=different_group, provider=self.provider
-                ).exists()
-            )
-            self.assertFalse(Event.objects.filter(action=EventAction.SYSTEM_EXCEPTION).exists())
-            user_list.assert_called_once()
-            group_list.assert_called_once()
--- a/authentik/enterprise/providers/microsoft_entra/tests/test_users.py
+++ b/authentik/enterprise/providers/microsoft_entra/tests/test_users.py
@ -1,418 +0,0 @@
-"""Microsoft Entra User tests"""
-
-from unittest.mock import AsyncMock, MagicMock, patch
-
-from azure.identity.aio import ClientSecretCredential
-from django.urls import reverse
-from msgraph.generated.models.group_collection_response import GroupCollectionResponse
-from msgraph.generated.models.organization import Organization
-from msgraph.generated.models.organization_collection_response import OrganizationCollectionResponse
-from msgraph.generated.models.user import User as MSUser
-from msgraph.generated.models.user_collection_response import UserCollectionResponse
-from msgraph.generated.models.verified_domain import VerifiedDomain
-from rest_framework.test import APITestCase
-
-from authentik.blueprints.tests import apply_blueprint
-from authentik.core.models import Application, Group, User
-from authentik.core.tests.utils import create_test_admin_user
-from authentik.enterprise.providers.microsoft_entra.models import (
-    MicrosoftEntraProvider,
-    MicrosoftEntraProviderMapping,
-    MicrosoftEntraProviderUser,
-)
-from authentik.enterprise.providers.microsoft_entra.tasks import microsoft_entra_sync
-from authentik.events.models import Event, EventAction
-from authentik.lib.generators import generate_id
-from authentik.lib.sync.outgoing.models import OutgoingSyncDeleteAction
-from authentik.tenants.models import Tenant
-
-
-class MicrosoftEntraUserTests(APITestCase):
-    """Microsoft Entra User tests"""
-
-    @apply_blueprint("system/providers-microsoft-entra.yaml")
-    def setUp(self) -> None:
-
-        # Delete all users and groups as the mocked HTTP responses only return one ID
-        # which will cause errors with multiple users
-        Tenant.objects.update(avatars="none")
-        User.objects.all().exclude_anonymous().delete()
-        Group.objects.all().delete()
-        self.provider: MicrosoftEntraProvider = MicrosoftEntraProvider.objects.create(
-            name=generate_id(),
-            client_id=generate_id(),
-            client_secret=generate_id(),
-            tenant_id=generate_id(),
-            exclude_users_service_account=True,
-        )
-        self.app: Application = Application.objects.create(
-            name=generate_id(),
-            slug=generate_id(),
-        )
-        self.app.backchannel_providers.add(self.provider)
-        self.provider.property_mappings.add(
-            MicrosoftEntraProviderMapping.objects.get(
-                managed="goauthentik.io/providers/microsoft_entra/user"
-            )
-        )
-        self.provider.property_mappings_group.add(
-            MicrosoftEntraProviderMapping.objects.get(
-                managed="goauthentik.io/providers/microsoft_entra/group"
-            )
-        )
-        self.creds = ClientSecretCredential(generate_id(), generate_id(), generate_id())
-
-    def test_user_create(self):
-        """Test user creation"""
-        uid = generate_id()
-        with (
-            patch(
-                "authentik.enterprise.providers.microsoft_entra.models.MicrosoftEntraProvider.microsoft_credentials",
-                MagicMock(return_value={"credentials": self.creds}),
-            ),
-            patch(
-                "msgraph.generated.organization.organization_request_builder.OrganizationRequestBuilder.get",
-                AsyncMock(
-                    return_value=OrganizationCollectionResponse(
-                        value=[
-                            Organization(verified_domains=[VerifiedDomain(name="goauthentik.io")])
-                        ]
-                    )
-                ),
-            ),
-            patch(
-                "msgraph.generated.users.users_request_builder.UsersRequestBuilder.post",
-                AsyncMock(return_value=MSUser(id=generate_id())),
-            ) as user_create,
-        ):
-            user = User.objects.create(
-                username=uid,
-                name=f"{uid} {uid}",
-                email=f"{uid}@goauthentik.io",
-            )
-            microsoft_user = MicrosoftEntraProviderUser.objects.filter(
-                provider=self.provider, user=user
-            ).first()
-            self.assertIsNotNone(microsoft_user)
-            self.assertFalse(Event.objects.filter(action=EventAction.SYSTEM_EXCEPTION).exists())
-            user_create.assert_called_once()
-
-    def test_user_not_created(self):
-        """Test without property mappings, no group is created"""
-        self.provider.property_mappings.clear()
-        uid = generate_id()
-        with (
-            patch(
-                "authentik.enterprise.providers.microsoft_entra.models.MicrosoftEntraProvider.microsoft_credentials",
-                MagicMock(return_value={"credentials": self.creds}),
-            ),
-            patch(
-                "msgraph.generated.organization.organization_request_builder.OrganizationRequestBuilder.get",
-                AsyncMock(
-                    return_value=OrganizationCollectionResponse(
-                        value=[
-                            Organization(verified_domains=[VerifiedDomain(name="goauthentik.io")])
-                        ]
-                    )
-                ),
-            ),
-            patch(
-                "msgraph.generated.users.users_request_builder.UsersRequestBuilder.post",
-                AsyncMock(return_value=MSUser(id=generate_id())),
-            ) as user_create,
-        ):
-            user = User.objects.create(
-                username=uid,
-                name=f"{uid} {uid}",
-                email=f"{uid}@goauthentik.io",
-            )
-            microsoft_user = MicrosoftEntraProviderUser.objects.filter(
-                provider=self.provider, user=user
-            ).first()
-            self.assertIsNone(microsoft_user)
-            self.assertFalse(Event.objects.filter(action=EventAction.SYSTEM_EXCEPTION).exists())
-            user_create.assert_not_called()
-
-    def test_user_create_update(self):
-        """Test user updating"""
-        uid = generate_id()
-        with (
-            patch(
-                "authentik.enterprise.providers.microsoft_entra.models.MicrosoftEntraProvider.microsoft_credentials",
-                MagicMock(return_value={"credentials": self.creds}),
-            ),
-            patch(
-                "msgraph.generated.organization.organization_request_builder.OrganizationRequestBuilder.get",
-                AsyncMock(
-                    return_value=OrganizationCollectionResponse(
-                        value=[
-                            Organization(verified_domains=[VerifiedDomain(name="goauthentik.io")])
-                        ]
-                    )
-                ),
-            ),
-            patch(
-                "msgraph.generated.users.users_request_builder.UsersRequestBuilder.post",
-                AsyncMock(return_value=MSUser(id=generate_id())),
-            ) as user_create,
-            patch(
-                "msgraph.generated.users.item.user_item_request_builder.UserItemRequestBuilder.patch",
-                AsyncMock(return_value=MSUser(id=generate_id())),
-            ) as user_patch,
-        ):
-            user = User.objects.create(
-                username=uid,
-                name=f"{uid} {uid}",
-                email=f"{uid}@goauthentik.io",
-            )
-            microsoft_user = MicrosoftEntraProviderUser.objects.filter(
-                provider=self.provider, user=user
-            ).first()
-            self.assertIsNotNone(microsoft_user)
-
-            user.name = "new name"
-            user.save()
-            self.assertFalse(Event.objects.filter(action=EventAction.SYSTEM_EXCEPTION).exists())
-            user_create.assert_called_once()
-            user_patch.assert_called_once()
-
-    def test_user_create_delete(self):
-        """Test user deletion"""
-        uid = generate_id()
-        with (
-            patch(
-                "authentik.enterprise.providers.microsoft_entra.models.MicrosoftEntraProvider.microsoft_credentials",
-                MagicMock(return_value={"credentials": self.creds}),
-            ),
-            patch(
-                "msgraph.generated.organization.organization_request_builder.OrganizationRequestBuilder.get",
-                AsyncMock(
-                    return_value=OrganizationCollectionResponse(
-                        value=[
-                            Organization(verified_domains=[VerifiedDomain(name="goauthentik.io")])
-                        ]
-                    )
-                ),
-            ),
-            patch(
-                "msgraph.generated.users.users_request_builder.UsersRequestBuilder.post",
-                AsyncMock(return_value=MSUser(id=generate_id())),
-            ) as user_create,
-            patch(
-                "msgraph.generated.users.item.user_item_request_builder.UserItemRequestBuilder.delete",
-                AsyncMock(),
-            ) as user_delete,
-        ):
-            user = User.objects.create(
-                username=uid,
-                name=f"{uid} {uid}",
-                email=f"{uid}@goauthentik.io",
-            )
-            microsoft_user = MicrosoftEntraProviderUser.objects.filter(
-                provider=self.provider, user=user
-            ).first()
-            self.assertIsNotNone(microsoft_user)
-
-            user.delete()
-            self.assertFalse(Event.objects.filter(action=EventAction.SYSTEM_EXCEPTION).exists())
-            user_create.assert_called_once()
-            user_delete.assert_called_once()
-
-    def test_user_create_delete_suspend(self):
-        """Test user deletion (delete action = Suspend)"""
-        self.provider.user_delete_action = OutgoingSyncDeleteAction.SUSPEND
-        self.provider.save()
-        uid = generate_id()
-        with (
-            patch(
-                "authentik.enterprise.providers.microsoft_entra.models.MicrosoftEntraProvider.microsoft_credentials",
-                MagicMock(return_value={"credentials": self.creds}),
-            ),
-            patch(
-                "msgraph.generated.organization.organization_request_builder.OrganizationRequestBuilder.get",
-                AsyncMock(
-                    return_value=OrganizationCollectionResponse(
-                        value=[
-                            Organization(verified_domains=[VerifiedDomain(name="goauthentik.io")])
-                        ]
-                    )
-                ),
-            ),
-            patch(
-                "msgraph.generated.users.users_request_builder.UsersRequestBuilder.post",
-                AsyncMock(return_value=MSUser(id=generate_id())),
-            ) as user_create,
-            patch(
-                "msgraph.generated.users.item.user_item_request_builder.UserItemRequestBuilder.patch",
-                AsyncMock(return_value=MSUser(id=generate_id())),
-            ) as user_patch,
-            patch(
-                "msgraph.generated.users.item.user_item_request_builder.UserItemRequestBuilder.delete",
-                AsyncMock(),
-            ) as user_delete,
-        ):
-            user = User.objects.create(
-                username=uid,
-                name=f"{uid} {uid}",
-                email=f"{uid}@goauthentik.io",
-            )
-            microsoft_user = MicrosoftEntraProviderUser.objects.filter(
-                provider=self.provider, user=user
-            ).first()
-            self.assertIsNotNone(microsoft_user)
-
-            user.delete()
-            self.assertFalse(
-                MicrosoftEntraProviderUser.objects.filter(
-                    provider=self.provider, user__username=uid
-                ).exists()
-            )
-            user_create.assert_called_once()
-            user_patch.assert_called_once()
-            self.assertFalse(user_patch.call_args[0][0].account_enabled)
-            user_delete.assert_not_called()
-
-    def test_user_create_delete_do_nothing(self):
-        """Test user deletion (delete action = do nothing)"""
-        self.provider.user_delete_action = OutgoingSyncDeleteAction.DO_NOTHING
-        self.provider.save()
-        uid = generate_id()
-        with (
-            patch(
-                "authentik.enterprise.providers.microsoft_entra.models.MicrosoftEntraProvider.microsoft_credentials",
-                MagicMock(return_value={"credentials": self.creds}),
-            ),
-            patch(
-                "msgraph.generated.organization.organization_request_builder.OrganizationRequestBuilder.get",
-                AsyncMock(
-                    return_value=OrganizationCollectionResponse(
-                        value=[
-                            Organization(verified_domains=[VerifiedDomain(name="goauthentik.io")])
-                        ]
-                    )
-                ),
-            ),
-            patch(
-                "msgraph.generated.users.users_request_builder.UsersRequestBuilder.post",
-                AsyncMock(return_value=MSUser(id=generate_id())),
-            ) as user_create,
-            patch(
-                "msgraph.generated.users.item.user_item_request_builder.UserItemRequestBuilder.patch",
-                AsyncMock(return_value=MSUser(id=generate_id())),
-            ) as user_patch,
-            patch(
-                "msgraph.generated.users.item.user_item_request_builder.UserItemRequestBuilder.delete",
-                AsyncMock(),
-            ) as user_delete,
-        ):
-            user = User.objects.create(
-                username=uid,
-                name=f"{uid} {uid}",
-                email=f"{uid}@goauthentik.io",
-            )
-            microsoft_user = MicrosoftEntraProviderUser.objects.filter(
-                provider=self.provider, user=user
-            ).first()
-            self.assertIsNotNone(microsoft_user)
-
-            user.delete()
-            self.assertFalse(
-                MicrosoftEntraProviderUser.objects.filter(
-                    provider=self.provider, user__username=uid
-                ).exists()
-            )
-            user_create.assert_called_once()
-            user_patch.assert_not_called()
-            user_delete.assert_not_called()
-
-    def test_sync_task(self):
-        """Test user discovery"""
-        uid = generate_id()
-        self.app.backchannel_providers.remove(self.provider)
-        different_user = User.objects.create(
-            username=uid,
-            email=f"{uid}@goauthentik.io",
-        )
-        self.app.backchannel_providers.add(self.provider)
-        with (
-            patch(
-                "authentik.enterprise.providers.microsoft_entra.models.MicrosoftEntraProvider.microsoft_credentials",
-                MagicMock(return_value={"credentials": self.creds}),
-            ),
-            patch(
-                "msgraph.generated.organization.organization_request_builder.OrganizationRequestBuilder.get",
-                AsyncMock(
-                    return_value=OrganizationCollectionResponse(
-                        value=[
-                            Organization(verified_domains=[VerifiedDomain(name="goauthentik.io")])
-                        ]
-                    )
-                ),
-            ),
-            patch(
-                "msgraph.generated.users.item.user_item_request_builder.UserItemRequestBuilder.patch",
-                AsyncMock(return_value=MSUser(id=generate_id())),
-            ),
-            patch(
-                "msgraph.generated.users.users_request_builder.UsersRequestBuilder.get",
-                AsyncMock(
-                    return_value=UserCollectionResponse(
-                        value=[MSUser(mail=f"{uid}@goauthentik.io", id=uid)]
-                    )
-                ),
-            ) as user_list,
-            patch(
-                "msgraph.generated.groups.groups_request_builder.GroupsRequestBuilder.get",
-                AsyncMock(return_value=GroupCollectionResponse(value=[])),
-            ),
-        ):
-            microsoft_entra_sync.delay(self.provider.pk).get()
-            self.assertTrue(
-                MicrosoftEntraProviderUser.objects.filter(
-                    user=different_user, provider=self.provider
-                ).exists()
-            )
-            self.assertFalse(Event.objects.filter(action=EventAction.SYSTEM_EXCEPTION).exists())
-            user_list.assert_called_once()
-
-    def test_connect_manual(self):
-        """test manual user connection"""
-        uid = generate_id()
-        self.app.backchannel_providers.remove(self.provider)
-        admin = create_test_admin_user()
-        different_user = User.objects.create(
-            username=uid,
-            email=f"{uid}@goauthentik.io",
-        )
-        self.app.backchannel_providers.add(self.provider)
-        with (
-            patch(
-                "authentik.enterprise.providers.microsoft_entra.models.MicrosoftEntraProvider.microsoft_credentials",
-                MagicMock(return_value={"credentials": self.creds}),
-            ),
-            patch(
-                "msgraph.generated.organization.organization_request_builder.OrganizationRequestBuilder.get",
-                AsyncMock(
-                    return_value=OrganizationCollectionResponse(
-                        value=[
-                            Organization(verified_domains=[VerifiedDomain(name="goauthentik.io")])
-                        ]
-                    )
-                ),
-            ),
-            patch(
-                "authentik.enterprise.providers.microsoft_entra.clients.users.MicrosoftEntraUserClient.update_single_attribute",
-                MagicMock(),
-            ) as user_get,
-        ):
-            self.client.force_login(admin)
-            response = self.client.post(
-                reverse("authentik_api:microsoftentraprovideruser-list"),
-                data={
-                    "microsoft_id": generate_id(),
-                    "user": different_user.pk,
-                    "provider": self.provider.pk,
-                },
-            )
-            self.assertEqual(response.status_code, 201)
-            user_get.assert_called_once()
--- a/authentik/enterprise/providers/microsoft_entra/urls.py
+++ b/authentik/enterprise/providers/microsoft_entra/urls.py
@ -1,21 +0,0 @@
-"""microsoft provider urls"""
-
-from authentik.enterprise.providers.microsoft_entra.api.groups import (
-    MicrosoftEntraProviderGroupViewSet,
-)
-from authentik.enterprise.providers.microsoft_entra.api.property_mappings import (
-    MicrosoftEntraProviderMappingViewSet,
-)
-from authentik.enterprise.providers.microsoft_entra.api.providers import (
-    MicrosoftEntraProviderViewSet,
-)
-from authentik.enterprise.providers.microsoft_entra.api.users import (
-    MicrosoftEntraProviderUserViewSet,
-)
-
-api_urlpatterns = [
-    ("providers/microsoft_entra", MicrosoftEntraProviderViewSet),
-    ("providers/microsoft_entra_users", MicrosoftEntraProviderUserViewSet),
-    ("providers/microsoft_entra_groups", MicrosoftEntraProviderGroupViewSet),
-    ("propertymappings/provider/microsoft_entra", MicrosoftEntraProviderMappingViewSet),
-]
--- a/authentik/enterprise/providers/rac/api/connection_tokens.py
+++ b/authentik/enterprise/providers/rac/api/connection_tokens.py
@ -3,12 +3,12 @@
 from django_filters.rest_framework.backends import DjangoFilterBackend
 from rest_framework import mixins
 from rest_framework.filters import OrderingFilter, SearchFilter
+from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import GenericViewSet

 from authentik.api.authorization import OwnerFilter, OwnerSuperuserPermissions
 from authentik.core.api.groups import GroupMemberSerializer
 from authentik.core.api.used_by import UsedByMixin
-from authentik.core.api.utils import ModelSerializer
 from authentik.enterprise.api import EnterpriseRequiredMixin
 from authentik.enterprise.providers.rac.api.endpoints import EndpointSerializer
 from authentik.enterprise.providers.rac.api.providers import RACProviderSerializer
--- a/Show More
+++ b/Show More