I know when you add users to organisations, you have to invite them, they accept the invite and then you accept there acknowledgment
But is there a way to auto add them without there acceptance of the invite, ie you just add them to the org
I do not believe there is any way to turn this off or disable this option.
This is actually a security feature built in to Bitwarden, I believe this additional step was added in response to BWN-01-008 – Malicious API server could steal organization encryption keys which was addressed in the 2018 Bitwarden Security Assessment Report by Cure53
Public key authentication via fingerprint (see #1 above) has been added to the confirmation step while
on-boarding new users into an organization. Users can view and verify their fingerprint under their
account’s settings in various Bitwarden client applications. Going forward, we will continue to investigate
the possibility of implementing public key authentication for organization user on-boarding in other
Bitwarden client applications, such as the desktop app, which are less susceptible to malicious serverside attacks (see #2 above). This would make the authentication process of public keys returned by the
Bitwarden API server even safer.
Finally, it should be noted that users also have the ability to self-host the Bitwarden server on their own
trusted infrastructure which would remove the risks associated with this issue almost entirely.
This also helps to act as a second form of authentication for on-boarding your users, the account fingerprint phrase can be confirmed with a user via some out-of-band communication, such as email, phone, or in person. This helps to verify the user account in Bitwarden that was invited to your Org and accepted your invitation is indeed the correct account created by your Org user, and not possibly another 3rd party malicious actor who may have gotten access to their company email or otherwise accepted the Org invite.
If a malicious account accepted the Org invite, the fingerprint phrase would need to be confirmed prior to confirming the user to an Organization, and would prevent a malicious actor from possibly gaining access to sensitive shared resources.
For more see here
Account Fingerprint Phrase | Bitwarden Help & Support
thanks @cksapp so what your saying is, they do need to accept the invite, you just cant auto add them to an org?
As I understand that is correct, this security feature cannot be disabled in Bitwarden.