diff --git a/app/Http/Controllers/Auth/LoginController.php b/app/Http/Controllers/Auth/LoginController.php
index 113675dae44e..bd5afef4678f 100644
--- a/app/Http/Controllers/Auth/LoginController.php
+++ b/app/Http/Controllers/Auth/LoginController.php
@@ -696,7 +696,7 @@ class LoginController extends BaseController
         }
 
         if($provider == 'microsoft'){
-            $scopes = ['email', 'Mail.ReadWrite', 'Mail.Send', 'offline_access', 'profile', 'User.Read openid'];
+            $scopes = ['email', 'Mail.Send', 'offline_access', 'profile', 'User.Read openid'];
             $parameters = ['response_type' => 'code', 'redirect_uri' => config('ninja.app_url')."/auth/microsoft"];
         }
 
diff --git a/app/Http/Controllers/ClientPortal/InvitationController.php b/app/Http/Controllers/ClientPortal/InvitationController.php
index 490a60f31a34..7cd2d273174a 100644
--- a/app/Http/Controllers/ClientPortal/InvitationController.php
+++ b/app/Http/Controllers/ClientPortal/InvitationController.php
@@ -235,6 +235,9 @@ class InvitationController extends Controller
                                     ->with('contact.client')
                                     ->firstOrFail();
 
+        if($invitation->contact->trashed())
+            $invitation->contact->restore();
+        
         auth()->guard('contact')->loginUsingId($invitation->contact->id, true);
 
         $invoice = $invitation->invoice;
diff --git a/app/Http/Controllers/ConnectedAccountController.php b/app/Http/Controllers/ConnectedAccountController.php
index a520045fdbe3..b8544e1a5d96 100644
--- a/app/Http/Controllers/ConnectedAccountController.php
+++ b/app/Http/Controllers/ConnectedAccountController.php
@@ -81,12 +81,61 @@ class ConnectedAccountController extends BaseController
             return $this->handleGoogleOauth();
         }
 
+        if ($request->input('provider') == 'microsoft') {
+            return $this->handleMicrosoftOauth($request);
+        }
+
         return response()
         ->json(['message' => 'Provider not supported'], 400)
         ->header('X-App-Version', config('ninja.app_version'))
         ->header('X-Api-Version', config('ninja.minimum_client_version'));
     }
 
+    private function handleMicrosoftOauth($request)
+    {
+        nlog($request->all());
+
+        if(!$request->has('account_token'))
+            return response()->json(['message' => 'No access_token parameter found!'], 400);
+
+        $graph = new \Microsoft\Graph\Graph();
+        $graph->setAccessToken($request->input('access_token'));
+
+        $user = $graph->createRequest("GET", "/me")
+                      ->setReturnType(Model\User::class)
+                      ->execute();
+
+        if($user){
+
+            $email = $user->getMail() ?: $user->getUserPrincipalName();
+
+            if(auth()->user()->email != $email && MultiDB::checkUserEmailExists($email))
+                return response()->json(['message' => ctrans('texts.email_already_register')], 400);
+
+            $connected_account = [
+                'email' => $email,
+                'oauth_user_id' => $user->getId(),
+                'oauth_provider_id' => 'microsoft',
+                'email_verified_at' =>now()
+            ];
+
+            auth()->user()->update($connected_account);
+            auth()->user()->email_verified_at = now();
+            auth()->user()->save();
+            
+            $this->setLoginCache(auth()->user());
+            
+            return $this->itemResponse(auth()->user());
+
+        }
+
+        return response()
+        ->json(['message' => ctrans('texts.invalid_credentials')], 401)
+        ->header('X-App-Version', config('ninja.app_version'))
+        ->header('X-Api-Version', config('ninja.minimum_client_version'));
+
+    }
+
     private function handleGoogleOauth()
     {
         $user = false;
diff --git a/app/Http/Controllers/UserController.php b/app/Http/Controllers/UserController.php
index 384064bd594a..3d1bf2e1d44d 100644
--- a/app/Http/Controllers/UserController.php
+++ b/app/Http/Controllers/UserController.php
@@ -396,7 +396,7 @@ class UserController extends BaseController
             UserEmailChanged::dispatch($new_user, json_decode($old_user), auth()->user()->company());
         }
 
-        $user->company_users()->update(["permissions_updated_at" => now()]);        
+       // $user->company_users()->update(["permissions_updated_at" => now()]);        
 
         event(new UserWasUpdated($user, auth()->user(), auth()->user()->company, Ninja::eventVars(auth()->user() ? auth()->user()->id : null)));
 
diff --git a/app/Http/Middleware/PasswordProtection.php b/app/Http/Middleware/PasswordProtection.php
index b13c9a1e3a86..456bb3cf9d77 100644
--- a/app/Http/Middleware/PasswordProtection.php
+++ b/app/Http/Middleware/PasswordProtection.php
@@ -63,35 +63,57 @@ class PasswordProtection
 
             //user is attempting to reauth with OAuth - check the token value
             //todo expand this to include all OAuth providers
-            $user = false;
-            $google = new Google();
-            $user = $google->getTokenResponse(request()->header('X-API-OAUTH-PASSWORD'));
-            
-            if (is_array($user)) {
-                
-                $query = [
-                    'oauth_user_id' => $google->harvestSubField($user),
-                    'oauth_provider_id'=> 'google'
-                ];
+            if(auth()->user()->oauth_provider_id == 'google')
+            {
+                $user = false;
+                $google = new Google();
+                $user = $google->getTokenResponse(request()->header('X-API-OAUTH-PASSWORD'));
 
-                //If OAuth and user also has a password set  - check both
-                if ($existing_user = MultiDB::hasUser($query) && auth()->user()->company()->oauth_password_required && auth()->user()->has_password && Hash::check(auth()->user()->password, $x_api_password)) {
+                if (is_array($user)) {
+                    
+                    $query = [
+                        'oauth_user_id' => $google->harvestSubField($user),
+                        'oauth_provider_id'=> 'google'
+                    ];
 
-                    nlog("existing user with password");
+                    //If OAuth and user also has a password set  - check both
+                    if ($existing_user = MultiDB::hasUser($query) && auth()->user()->company()->oauth_password_required && auth()->user()->has_password && Hash::check(auth()->user()->password, $x_api_password)) {
+
+                        nlog("existing user with password");
+
+                        Cache::put(auth()->user()->hashed_id.'_'.auth()->user()->account_id.'_logged_in', Str::random(64), $timeout);
+
+                        return $next($request);
+                    }
+                    elseif($existing_user = MultiDB::hasUser($query) && !auth()->user()->company()->oauth_password_required){
+
+                        nlog("existing user without password");
+
+                        Cache::put(auth()->user()->hashed_id.'_'.auth()->user()->account_id.'_logged_in', Str::random(64), $timeout);
+                        return $next($request);                    
+                    }
+                }
+
+            }
+            elseif(auth()->user()->oauth_provider_id == 'microsoft')
+            {
+                try{
+                    $payload = json_decode(base64_decode(str_replace('_', '/', str_replace('-','+',explode('.', request()->header('X-API-OAUTH-PASSWORD'))[1]))));
+                }
+                catch(\Exception $e){
+                    nlog("could not decode microsoft response");
+                    return response()->json(['message' => 'Could not decode the response from Microsoft'], 412);
+                }
+
+                if($payload->preferred_username == auth()->user()->email){
 
                     Cache::put(auth()->user()->hashed_id.'_'.auth()->user()->account_id.'_logged_in', Str::random(64), $timeout);
-
                     return $next($request);
                 }
-                elseif($existing_user = MultiDB::hasUser($query) && !auth()->user()->company()->oauth_password_required){
-
-                    nlog("existing user without password");
-
-                    Cache::put(auth()->user()->hashed_id.'_'.auth()->user()->account_id.'_logged_in', Str::random(64), $timeout);
-                    return $next($request);                    
-                }
             }
 
+
+
             return response()->json($error, 412);
 
 
diff --git a/app/PaymentDrivers/Forte/CreditCard.php b/app/PaymentDrivers/Forte/CreditCard.php
index b9882b3a4349..ad599f32f925 100644
--- a/app/PaymentDrivers/Forte/CreditCard.php
+++ b/app/PaymentDrivers/Forte/CreditCard.php
@@ -90,7 +90,7 @@ class CreditCard
         $amount_with_fee = $payment_hash->data->total->amount_with_fee;
         $invoice_totals = $payment_hash->data->total->invoice_totals;
         $fee_total = 0;
-        print_r($payment_hash->data->total);
+
         for ($i = ($invoice_totals * 100) ; $i < ($amount_with_fee * 100); $i++) { 
             $calculated_fee = ( 3 * $i) / 100;
             $calculated_amount_with_fee = round(($i + $calculated_fee) / 100,2);
diff --git a/app/Services/ClientPortal/InstantPayment.php b/app/Services/ClientPortal/InstantPayment.php
index ae43fd605ab1..ca6184234fbc 100644
--- a/app/Services/ClientPortal/InstantPayment.php
+++ b/app/Services/ClientPortal/InstantPayment.php
@@ -255,6 +255,7 @@ class InstantPayment
             'tokens' => $tokens,
             'payment_method_id' => $payment_method_id,
             'amount_with_fee' => $invoice_totals + $fee_totals,
+            'client' => $client,
         ];
 
         if ($is_credit_payment || $totals <= 0) {
diff --git a/resources/views/index/index.blade.php b/resources/views/index/index.blade.php
index a7596262599f..1409f8f6b2f3 100644
--- a/resources/views/index/index.blade.php
+++ b/resources/views/index/index.blade.php
@@ -1,5 +1,5 @@
 <!DOCTYPE html>
-<html data-report-errors="{{ $report_errors }}" data-rc="{{ $rc }}" data-user-agent="{{ $user_agent }}" data-login="{{ $login }}" data-login="{{ $signup }}">
+<html data-report-errors="{{ $report_errors }}" data-rc="{{ $rc }}" data-user-agent="{{ $user_agent }}" data-login="{{ $login }}" data-signup="{{ $signup }}">
 <head>
     <!-- Source: https://github.com/invoiceninja/invoiceninja -->
     <!-- Version: {{ config('ninja.app_version') }} -->
diff --git a/resources/views/portal/ninja2020/purchase_orders/show.blade.php b/resources/views/portal/ninja2020/purchase_orders/show.blade.php
index bc2a91e97cd5..50f5cc77a4fe 100644
--- a/resources/views/portal/ninja2020/purchase_orders/show.blade.php
+++ b/resources/views/portal/ninja2020/purchase_orders/show.blade.php
@@ -3,7 +3,7 @@
 
 @push('head')
     <meta name="show-purchase_order-terms" content="false">
-    <meta name="require-purchase_order-signature" content="{{ $purchase_order->company->account->hasFeature(\App\Models\Account::FEATURE_INVOICE_SETTINGS) && $settings->require_purchase_order_signature }}">
+    <meta name="require-purchase_order-signature" content="{{ $purchase_order->company->account->hasFeature(\App\Models\Account::FEATURE_INVOICE_SETTINGS) && property_exists($settings, 'require_purchase_order_signature') && $settings->require_purchase_order_signature }}">
     @include('portal.ninja2020.components.no-cache')
     
     <script src="{{ asset('vendor/signature_pad@2.3.2/signature_pad.min.js') }}"></script>