diff --git a/internal/api/grpc/idp/converter.go b/internal/api/grpc/idp/converter.go
index dd38f27ed8..33edef14e0 100644
--- a/internal/api/grpc/idp/converter.go
+++ b/internal/api/grpc/idp/converter.go
@@ -261,7 +261,7 @@ func IDPNameQueryToModel(query *idp_pb.IDPNameQuery) *iam_model.IDPConfigSearchQ
 
 func IDPOwnerTypeQueryToModel(query *idp_pb.IDPOwnerTypeQuery) *iam_model.IDPConfigSearchQuery {
 	return &iam_model.IDPConfigSearchQuery{
-		Key:    iam_model.IDPConfigSearchKeyName,
+		Key:    iam_model.IDPConfigSearchKeyIdpProviderType,
 		Method: domain.SearchMethodEquals,
 		Value:  IDPProviderTypeModelFromPb(query.OwnerType),
 	}
diff --git a/internal/api/grpc/management/idp.go b/internal/api/grpc/management/idp.go
index be18264125..6ec192040d 100644
--- a/internal/api/grpc/management/idp.go
+++ b/internal/api/grpc/management/idp.go
@@ -3,9 +3,6 @@ package management
 import (
 	"context"
 
-	"google.golang.org/grpc/codes"
-	"google.golang.org/grpc/status"
-
 	"github.com/caos/zitadel/internal/api/authz"
 	idp_grpc "github.com/caos/zitadel/internal/api/grpc/idp"
 	object_pb "github.com/caos/zitadel/internal/api/grpc/object"
@@ -30,7 +27,7 @@ func (s *Server) ListOrgIDPs(ctx context.Context, req *mgmt_pb.ListOrgIDPsReques
 	}, nil
 }
 func (s *Server) AddOrgOIDCIDP(ctx context.Context, req *mgmt_pb.AddOrgOIDCIDPRequest) (*mgmt_pb.AddOrgOIDCIDPResponse, error) {
-	config, err := s.command.AddDefaultIDPConfig(ctx, addOIDCIDPRequestToDomain(req))
+	config, err := s.command.AddIDPConfig(ctx, addOIDCIDPRequestToDomain(req), authz.GetCtxData(ctx).OrgID)
 	if err != nil {
 		return nil, err
 	}
@@ -44,14 +41,14 @@ func (s *Server) AddOrgOIDCIDP(ctx context.Context, req *mgmt_pb.AddOrgOIDCIDPRe
 	}, nil
 }
 func (s *Server) DeactivateOrgIDP(ctx context.Context, req *mgmt_pb.DeactivateOrgIDPRequest) (*mgmt_pb.DeactivateOrgIDPResponse, error) {
-	objectDetails, err := s.command.DeactivateDefaultIDPConfig(ctx, req.IdpId)
+	objectDetails, err := s.command.DeactivateIDPConfig(ctx, req.IdpId, authz.GetCtxData(ctx).OrgID)
 	if err != nil {
 		return nil, err
 	}
 	return &mgmt_pb.DeactivateOrgIDPResponse{Details: object_pb.DomainToChangeDetailsPb(objectDetails)}, nil
 }
 func (s *Server) ReactivateOrgIDP(ctx context.Context, req *mgmt_pb.ReactivateOrgIDPRequest) (*mgmt_pb.ReactivateOrgIDPResponse, error) {
-	objectDetails, err := s.command.ReactivateDefaultIDPConfig(ctx, req.IdpId)
+	objectDetails, err := s.command.ReactivateIDPConfig(ctx, req.IdpId, authz.GetCtxData(ctx).OrgID)
 	if err != nil {
 		return nil, err
 	}
@@ -66,14 +63,14 @@ func (s *Server) RemoveOrgIDP(ctx context.Context, req *mgmt_pb.RemoveOrgIDPRequ
 	if err != nil {
 		return nil, err
 	}
-	_, err = s.command.RemoveDefaultIDPConfig(ctx, req.IdpId, idpProviderViewsToDomain(idpProviders), externalIDPViewsToDomain(externalIDPs)...)
+	_, err = s.command.RemoveIDPConfig(ctx, req.IdpId, authz.GetCtxData(ctx).OrgID, len(idpProviders) > 0, externalIDPViewsToDomain(externalIDPs)...)
 	if err != nil {
 		return nil, err
 	}
 	return &mgmt_pb.RemoveOrgIDPResponse{}, nil
 }
 func (s *Server) UpdateOrgIDP(ctx context.Context, req *mgmt_pb.UpdateOrgIDPRequest) (*mgmt_pb.UpdateOrgIDPResponse, error) {
-	config, err := s.command.ChangeDefaultIDPConfig(ctx, updateIDPToDomain(req))
+	config, err := s.command.ChangeIDPConfig(ctx, updateIDPToDomain(req), authz.GetCtxData(ctx).OrgID)
 	if err != nil {
 		return nil, err
 	}
@@ -85,6 +82,17 @@ func (s *Server) UpdateOrgIDP(ctx context.Context, req *mgmt_pb.UpdateOrgIDPRequ
 		),
 	}, nil
 }
+
 func (s *Server) UpdateOrgIDPOIDCConfig(ctx context.Context, req *mgmt_pb.UpdateOrgIDPOIDCConfigRequest) (*mgmt_pb.UpdateOrgIDPOIDCConfigResponse, error) {
-	return nil, status.Errorf(codes.Unimplemented, "method UpdateOrgIDPOIDCConfig not implemented")
+	config, err := s.command.ChangeIDPOIDCConfig(ctx, updateOIDCConfigToDomain(req), authz.GetCtxData(ctx).OrgID)
+	if err != nil {
+		return nil, err
+	}
+	return &mgmt_pb.UpdateOrgIDPOIDCConfigResponse{
+		Details: object_pb.ChangeToDetailsPb(
+			config.Sequence,
+			config.ChangeDate,
+			config.ResourceOwner,
+		),
+	}, nil
 }
diff --git a/internal/api/grpc/management/policy_login.go b/internal/api/grpc/management/policy_login.go
index fd4130d4ae..54beef9463 100644
--- a/internal/api/grpc/management/policy_login.go
+++ b/internal/api/grpc/management/policy_login.go
@@ -119,7 +119,7 @@ func (s *Server) ListLoginPolicySecondFactors(ctx context.Context, req *mgmt_pb.
 }
 
 func (s *Server) AddSecondFactorToLoginPolicy(ctx context.Context, req *mgmt_pb.AddSecondFactorToLoginPolicyRequest) (*mgmt_pb.AddSecondFactorToLoginPolicyResponse, error) {
-	_, objectDetails, err := s.command.AddSecondFactorToDefaultLoginPolicy(ctx, policy_grpc.SecondFactorTypeToDomain(req.Type))
+	_, objectDetails, err := s.command.AddSecondFactorToLoginPolicy(ctx, policy_grpc.SecondFactorTypeToDomain(req.Type), authz.GetCtxData(ctx).OrgID)
 	if err != nil {
 		return nil, err
 	}
@@ -129,7 +129,7 @@ func (s *Server) AddSecondFactorToLoginPolicy(ctx context.Context, req *mgmt_pb.
 }
 
 func (s *Server) RemoveSecondFactorFromLoginPolicy(ctx context.Context, req *mgmt_pb.RemoveSecondFactorFromLoginPolicyRequest) (*mgmt_pb.RemoveSecondFactorFromLoginPolicyResponse, error) {
-	objectDetails, err := s.command.RemoveSecondFactorFromDefaultLoginPolicy(ctx, policy_grpc.SecondFactorTypeToDomain(req.Type))
+	objectDetails, err := s.command.RemoveSecondFactorFromLoginPolicy(ctx, policy_grpc.SecondFactorTypeToDomain(req.Type), authz.GetCtxData(ctx).OrgID)
 	if err != nil {
 		return nil, err
 	}
@@ -151,7 +151,7 @@ func (s *Server) ListLoginPolicyMultiFactors(ctx context.Context, req *mgmt_pb.L
 }
 
 func (s *Server) AddMultiFactorToLoginPolicy(ctx context.Context, req *mgmt_pb.AddMultiFactorToLoginPolicyRequest) (*mgmt_pb.AddMultiFactorToLoginPolicyResponse, error) {
-	_, objectDetails, err := s.command.AddMultiFactorToDefaultLoginPolicy(ctx, policy_grpc.MultiFactorTypeToDomain(req.Type))
+	_, objectDetails, err := s.command.AddMultiFactorToLoginPolicy(ctx, policy_grpc.MultiFactorTypeToDomain(req.Type), authz.GetCtxData(ctx).OrgID)
 	if err != nil {
 		return nil, err
 	}
@@ -161,7 +161,7 @@ func (s *Server) AddMultiFactorToLoginPolicy(ctx context.Context, req *mgmt_pb.A
 }
 
 func (s *Server) RemoveMultiFactorFromLoginPolicy(ctx context.Context, req *mgmt_pb.RemoveMultiFactorFromLoginPolicyRequest) (*mgmt_pb.RemoveMultiFactorFromLoginPolicyResponse, error) {
-	objectDetails, err := s.command.RemoveMultiFactorFromDefaultLoginPolicy(ctx, policy_grpc.MultiFactorTypeToDomain(req.Type))
+	objectDetails, err := s.command.RemoveMultiFactorFromLoginPolicy(ctx, policy_grpc.MultiFactorTypeToDomain(req.Type), authz.GetCtxData(ctx).OrgID)
 	if err != nil {
 		return nil, err
 	}
diff --git a/internal/api/grpc/user/user_grant.go b/internal/api/grpc/user/user_grant.go
index b07f4dd023..51495d2db1 100644
--- a/internal/api/grpc/user/user_grant.go
+++ b/internal/api/grpc/user/user_grant.go
@@ -17,20 +17,21 @@ func UserGrantsToPb(grants []*usr_grant_model.UserGrantView) []*user_pb.UserGran
 
 func UserGrantToPb(grant *usr_grant_model.UserGrantView) *user_pb.UserGrant {
 	return &user_pb.UserGrant{
-		GrantId:     grant.ID,
-		UserId:      grant.UserID,
-		State:       ModelUserGrantStateToPb(grant.State),
-		RoleKeys:    grant.RoleKeys,
-		UserName:    grant.UserName,
-		FirstName:   grant.FirstName,
-		LastName:    grant.LastName,
-		Email:       grant.Email,
-		DisplayName: grant.DisplayName,
-		OrgId:       grant.ResourceOwner,
-		OrgDomain:   grant.OrgPrimaryDomain,
-		OrgName:     grant.OrgName,
-		ProjectId:   grant.ProjectID,
-		ProjectName: grant.ProjectName,
+		GrantId:        grant.ID,
+		UserId:         grant.UserID,
+		State:          ModelUserGrantStateToPb(grant.State),
+		RoleKeys:       grant.RoleKeys,
+		UserName:       grant.UserName,
+		FirstName:      grant.FirstName,
+		LastName:       grant.LastName,
+		Email:          grant.Email,
+		DisplayName:    grant.DisplayName,
+		OrgId:          grant.ResourceOwner,
+		OrgDomain:      grant.OrgPrimaryDomain,
+		OrgName:        grant.OrgName,
+		ProjectId:      grant.ProjectID,
+		ProjectName:    grant.ProjectName,
+		ProjectGrantId: grant.GrantID,
 		Details: object.ToViewDetailsPb(
 			grant.Sequence,
 			grant.CreationDate,
diff --git a/internal/command/org_idp_config.go b/internal/command/org_idp_config.go
index f6df7c2dc2..3e77326e0f 100644
--- a/internal/command/org_idp_config.go
+++ b/internal/command/org_idp_config.go
@@ -97,43 +97,57 @@ func (c *Commands) ChangeIDPConfig(ctx context.Context, config *domain.IDPConfig
 	return writeModelToIDPConfig(&existingIDP.IDPConfigWriteModel), nil
 }
 
-func (c *Commands) DeactivateIDPConfig(ctx context.Context, idpID, orgID string) error {
+func (c *Commands) DeactivateIDPConfig(ctx context.Context, idpID, orgID string) (*domain.ObjectDetails, error) {
 	existingIDP, err := c.orgIDPConfigWriteModelByID(ctx, idpID, orgID)
 	if err != nil {
-		return err
+		return nil, err
 	}
 	if existingIDP.State != domain.IDPConfigStateActive {
-		return caos_errs.ThrowPreconditionFailed(nil, "Org-4M9so", "Errors.Org.IDPConfig.NotActive")
+		return nil, caos_errs.ThrowPreconditionFailed(nil, "Org-4M9so", "Errors.Org.IDPConfig.NotActive")
 	}
 	orgAgg := OrgAggregateFromWriteModel(&existingIDP.WriteModel)
-	_, err = c.eventstore.PushEvents(ctx, org_repo.NewIDPConfigDeactivatedEvent(ctx, orgAgg, idpID))
-	return err
+	pushedEvents, err := c.eventstore.PushEvents(ctx, org_repo.NewIDPConfigDeactivatedEvent(ctx, orgAgg, idpID))
+	if err != nil {
+		return nil, err
+	}
+	err = AppendAndReduce(existingIDP, pushedEvents...)
+	if err != nil {
+		return nil, err
+	}
+	return writeModelToObjectDetails(&existingIDP.IDPConfigWriteModel.WriteModel), nil
 }
 
-func (c *Commands) ReactivateIDPConfig(ctx context.Context, idpID, orgID string) error {
+func (c *Commands) ReactivateIDPConfig(ctx context.Context, idpID, orgID string) (*domain.ObjectDetails, error) {
 	existingIDP, err := c.orgIDPConfigWriteModelByID(ctx, idpID, orgID)
 	if err != nil {
-		return err
+		return nil, err
 	}
 	if existingIDP.State != domain.IDPConfigStateInactive {
-		return caos_errs.ThrowPreconditionFailed(nil, "Org-5Mo0d", "Errors.Org.IDPConfig.NotInactive")
+		return nil, caos_errs.ThrowPreconditionFailed(nil, "Org-5Mo0d", "Errors.Org.IDPConfig.NotInactive")
 	}
 	orgAgg := OrgAggregateFromWriteModel(&existingIDP.WriteModel)
-	_, err = c.eventstore.PushEvents(ctx, org_repo.NewIDPConfigReactivatedEvent(ctx, orgAgg, idpID))
-	return err
+	pushedEvents, err := c.eventstore.PushEvents(ctx, org_repo.NewIDPConfigReactivatedEvent(ctx, orgAgg, idpID))
+	if err != nil {
+		return nil, err
+	}
+	err = AppendAndReduce(existingIDP, pushedEvents...)
+	if err != nil {
+		return nil, err
+	}
+	return writeModelToObjectDetails(&existingIDP.IDPConfigWriteModel.WriteModel), nil
 }
 
-func (c *Commands) RemoveIDPConfig(ctx context.Context, idpID, orgID string, cascadeRemoveProvider bool, cascadeExternalIDPs ...*domain.ExternalIDP) error {
+func (c *Commands) RemoveIDPConfig(ctx context.Context, idpID, orgID string, cascadeRemoveProvider bool, cascadeExternalIDPs ...*domain.ExternalIDP) (*domain.ObjectDetails, error) {
 	existingIDP, err := c.orgIDPConfigWriteModelByID(ctx, idpID, orgID)
 	if err != nil {
-		return err
+		return nil, err
 	}
 
 	if existingIDP.State == domain.IDPConfigStateRemoved || existingIDP.State == domain.IDPConfigStateUnspecified {
-		return caos_errs.ThrowNotFound(nil, "Org-Yx9vd", "Errors.Org.IDPConfig.NotExisting")
+		return nil, caos_errs.ThrowNotFound(nil, "Org-Yx9vd", "Errors.Org.IDPConfig.NotExisting")
 	}
 	if existingIDP.State != domain.IDPConfigStateInactive {
-		return caos_errs.ThrowPreconditionFailed(nil, "Org-5Mo0d", "Errors.Org.IDPConfig.NotInactive")
+		return nil, caos_errs.ThrowPreconditionFailed(nil, "Org-5Mo0d", "Errors.Org.IDPConfig.NotInactive")
 	}
 
 	orgAgg := OrgAggregateFromWriteModel(&existingIDP.WriteModel)
@@ -145,8 +159,15 @@ func (c *Commands) RemoveIDPConfig(ctx context.Context, idpID, orgID string, cas
 		removeIDPEvents := c.removeIDPProviderFromLoginPolicy(ctx, orgAgg, idpID, true, cascadeExternalIDPs...)
 		events = append(events, removeIDPEvents...)
 	}
-	_, err = c.eventstore.PushEvents(ctx, events...)
-	return err
+	pushedEvents, err := c.eventstore.PushEvents(ctx, events...)
+	if err != nil {
+		return nil, err
+	}
+	err = AppendAndReduce(existingIDP, pushedEvents...)
+	if err != nil {
+		return nil, err
+	}
+	return writeModelToObjectDetails(&existingIDP.IDPConfigWriteModel.WriteModel), nil
 }
 
 func (c *Commands) getOrgIDPConfigByID(ctx context.Context, idpID, orgID string) (*domain.IDPConfig, error) {
diff --git a/internal/command/org_policy_login.go b/internal/command/org_policy_login.go
index 6b98c87600..f0eab94d16 100644
--- a/internal/command/org_policy_login.go
+++ b/internal/command/org_policy_login.go
@@ -182,95 +182,118 @@ func (c *Commands) removeIDPProviderFromLoginPolicy(ctx context.Context, orgAgg
 	return events
 }
 
-func (c *Commands) AddSecondFactorToLoginPolicy(ctx context.Context, secondFactor domain.SecondFactorType, orgID string) (domain.SecondFactorType, error) {
+func (c *Commands) AddSecondFactorToLoginPolicy(ctx context.Context, secondFactor domain.SecondFactorType, orgID string) (domain.SecondFactorType, *domain.ObjectDetails, error) {
 	if orgID == "" {
-		return domain.SecondFactorTypeUnspecified, caos_errs.ThrowInvalidArgument(nil, "Org-M0fs9", "Errors.ResourceOwnerMissing")
+		return domain.SecondFactorTypeUnspecified, nil, caos_errs.ThrowInvalidArgument(nil, "Org-M0fs9", "Errors.ResourceOwnerMissing")
 	}
 	if !secondFactor.Valid() {
-		return domain.SecondFactorTypeUnspecified, caos_errs.ThrowInvalidArgument(nil, "Org-5m9fs", "Errors.Org.LoginPolicy.MFA.Unspecified")
+		return domain.SecondFactorTypeUnspecified, nil, caos_errs.ThrowInvalidArgument(nil, "Org-5m9fs", "Errors.Org.LoginPolicy.MFA.Unspecified")
 	}
 	secondFactorModel := NewOrgSecondFactorWriteModel(orgID, secondFactor)
 	err := c.eventstore.FilterToQueryReducer(ctx, secondFactorModel)
 	if err != nil {
-		return domain.SecondFactorTypeUnspecified, err
+		return domain.SecondFactorTypeUnspecified, nil, err
 	}
 
 	if secondFactorModel.State == domain.FactorStateActive {
-		return domain.SecondFactorTypeUnspecified, caos_errs.ThrowAlreadyExists(nil, "Org-2B0ps", "Errors.Org.LoginPolicy.MFA.AlreadyExists")
+		return domain.SecondFactorTypeUnspecified, nil, caos_errs.ThrowAlreadyExists(nil, "Org-2B0ps", "Errors.Org.LoginPolicy.MFA.AlreadyExists")
 	}
 
 	orgAgg := OrgAggregateFromWriteModel(&secondFactorModel.SecondFactorWriteModel.WriteModel)
 
-	if _, err = c.eventstore.PushEvents(ctx, org.NewLoginPolicySecondFactorAddedEvent(ctx, orgAgg, secondFactor)); err != nil {
-		return domain.SecondFactorTypeUnspecified, err
+	pushedEvents, err := c.eventstore.PushEvents(ctx, org.NewLoginPolicySecondFactorAddedEvent(ctx, orgAgg, secondFactor))
+	if err != nil {
+		return domain.SecondFactorTypeUnspecified, nil, err
 	}
 
-	return secondFactorModel.MFAType, nil
+	err = AppendAndReduce(secondFactorModel, pushedEvents...)
+	if err != nil {
+		return domain.SecondFactorTypeUnspecified, nil, err
+	}
+	return secondFactorModel.MFAType, writeModelToObjectDetails(&secondFactorModel.WriteModel), nil
 }
 
-func (c *Commands) RemoveSecondFactorFromLoginPolicy(ctx context.Context, secondFactor domain.SecondFactorType, orgID string) error {
+func (c *Commands) RemoveSecondFactorFromLoginPolicy(ctx context.Context, secondFactor domain.SecondFactorType, orgID string) (*domain.ObjectDetails, error) {
 	if orgID == "" {
-		return caos_errs.ThrowInvalidArgument(nil, "Org-fM0gs", "Errors.ResourceOwnerMissing")
+		return nil, caos_errs.ThrowInvalidArgument(nil, "Org-fM0gs", "Errors.ResourceOwnerMissing")
 	}
 	if !secondFactor.Valid() {
-		return caos_errs.ThrowInvalidArgument(nil, "Org-55n8s", "Errors.Org.LoginPolicy.MFA.Unspecified")
+		return nil, caos_errs.ThrowInvalidArgument(nil, "Org-55n8s", "Errors.Org.LoginPolicy.MFA.Unspecified")
 	}
 	secondFactorModel := NewOrgSecondFactorWriteModel(orgID, secondFactor)
 	err := c.eventstore.FilterToQueryReducer(ctx, secondFactorModel)
 	if err != nil {
-		return err
+		return nil, err
 	}
 	if secondFactorModel.State == domain.FactorStateUnspecified || secondFactorModel.State == domain.FactorStateRemoved {
-		return caos_errs.ThrowNotFound(nil, "Org-3M9od", "Errors.Org.LoginPolicy.MFA.NotExisting")
+		return nil, caos_errs.ThrowNotFound(nil, "Org-3M9od", "Errors.Org.LoginPolicy.MFA.NotExisting")
 	}
 	orgAgg := OrgAggregateFromWriteModel(&secondFactorModel.SecondFactorWriteModel.WriteModel)
 
-	_, err = c.eventstore.PushEvents(ctx, org.NewLoginPolicySecondFactorRemovedEvent(ctx, orgAgg, secondFactor))
-	return err
+	pushedEvents, err := c.eventstore.PushEvents(ctx, org.NewLoginPolicySecondFactorRemovedEvent(ctx, orgAgg, secondFactor))
+	if err != nil {
+		return nil, err
+	}
+	err = AppendAndReduce(secondFactorModel, pushedEvents...)
+	if err != nil {
+		return nil, err
+	}
+	return writeModelToObjectDetails(&secondFactorModel.WriteModel), nil
 }
 
-func (c *Commands) AddMultiFactorToLoginPolicy(ctx context.Context, multiFactor domain.MultiFactorType, orgID string) (domain.MultiFactorType, error) {
+func (c *Commands) AddMultiFactorToLoginPolicy(ctx context.Context, multiFactor domain.MultiFactorType, orgID string) (domain.MultiFactorType, *domain.ObjectDetails, error) {
 	if orgID == "" {
-		return domain.MultiFactorTypeUnspecified, caos_errs.ThrowInvalidArgument(nil, "Org-M0fsf", "Errors.ResourceOwnerMissing")
+		return domain.MultiFactorTypeUnspecified, nil, caos_errs.ThrowInvalidArgument(nil, "Org-M0fsf", "Errors.ResourceOwnerMissing")
 	}
 	if !multiFactor.Valid() {
-		return domain.MultiFactorTypeUnspecified, caos_errs.ThrowInvalidArgument(nil, "Org-5m9fs", "Errors.Org.LoginPolicy.MFA.Unspecified")
+		return domain.MultiFactorTypeUnspecified, nil, caos_errs.ThrowInvalidArgument(nil, "Org-5m9fs", "Errors.Org.LoginPolicy.MFA.Unspecified")
 	}
 	multiFactorModel := NewOrgMultiFactorWriteModel(orgID, multiFactor)
 	err := c.eventstore.FilterToQueryReducer(ctx, multiFactorModel)
 	if err != nil {
-		return domain.MultiFactorTypeUnspecified, err
+		return domain.MultiFactorTypeUnspecified, nil, err
 	}
 	if multiFactorModel.State == domain.FactorStateActive {
-		return domain.MultiFactorTypeUnspecified, caos_errs.ThrowAlreadyExists(nil, "Org-3M9od", "Errors.Org.LoginPolicy.MFA.AlreadyExists")
+		return domain.MultiFactorTypeUnspecified, nil, caos_errs.ThrowAlreadyExists(nil, "Org-3M9od", "Errors.Org.LoginPolicy.MFA.AlreadyExists")
 	}
 
 	orgAgg := OrgAggregateFromWriteModel(&multiFactorModel.WriteModel)
 
-	if _, err = c.eventstore.PushEvents(ctx, org.NewLoginPolicyMultiFactorAddedEvent(ctx, orgAgg, multiFactor)); err != nil {
-		return domain.MultiFactorTypeUnspecified, err
+	pushedEvents, err := c.eventstore.PushEvents(ctx, org.NewLoginPolicyMultiFactorAddedEvent(ctx, orgAgg, multiFactor))
+	if err != nil {
+		return domain.MultiFactorTypeUnspecified, nil, err
 	}
-
-	return multiFactorModel.MFAType, nil
+	err = AppendAndReduce(multiFactorModel, pushedEvents...)
+	if err != nil {
+		return domain.MultiFactorTypeUnspecified, nil, err
+	}
+	return multiFactorModel.MultiFactoryWriteModel.MFAType, writeModelToObjectDetails(&multiFactorModel.WriteModel), nil
 }
 
-func (c *Commands) RemoveMultiFactorFromLoginPolicy(ctx context.Context, multiFactor domain.MultiFactorType, orgID string) error {
+func (c *Commands) RemoveMultiFactorFromLoginPolicy(ctx context.Context, multiFactor domain.MultiFactorType, orgID string) (*domain.ObjectDetails, error) {
 	if orgID == "" {
-		return caos_errs.ThrowInvalidArgument(nil, "Org-M0fsf", "Errors.ResourceOwnerMissing")
+		return nil, caos_errs.ThrowInvalidArgument(nil, "Org-M0fsf", "Errors.ResourceOwnerMissing")
 	}
 	if !multiFactor.Valid() {
-		return caos_errs.ThrowInvalidArgument(nil, "Org-5m9fs", "Errors.Org.LoginPolicy.MFA.Unspecified")
+		return nil, caos_errs.ThrowInvalidArgument(nil, "Org-5m9fs", "Errors.Org.LoginPolicy.MFA.Unspecified")
 	}
 	multiFactorModel := NewOrgMultiFactorWriteModel(orgID, multiFactor)
 	err := c.eventstore.FilterToQueryReducer(ctx, multiFactorModel)
 	if err != nil {
-		return err
+		return nil, err
 	}
 	if multiFactorModel.State == domain.FactorStateUnspecified || multiFactorModel.State == domain.FactorStateRemoved {
-		return caos_errs.ThrowNotFound(nil, "Org-3M9df", "Errors.Org.LoginPolicy.MFA.NotExisting")
+		return nil, caos_errs.ThrowNotFound(nil, "Org-3M9df", "Errors.Org.LoginPolicy.MFA.NotExisting")
 	}
 	orgAgg := OrgAggregateFromWriteModel(&multiFactorModel.MultiFactoryWriteModel.WriteModel)
 
-	_, err = c.eventstore.PushEvents(ctx, org.NewLoginPolicyMultiFactorRemovedEvent(ctx, orgAgg, multiFactor))
-	return err
+	pushedEvents, err := c.eventstore.PushEvents(ctx, org.NewLoginPolicyMultiFactorRemovedEvent(ctx, orgAgg, multiFactor))
+	if err != nil {
+		return nil, err
+	}
+	err = AppendAndReduce(multiFactorModel, pushedEvents...)
+	if err != nil {
+		return nil, err
+	}
+	return writeModelToObjectDetails(&multiFactorModel.WriteModel), nil
 }
diff --git a/internal/command/org_policy_login_test.go b/internal/command/org_policy_login_test.go
index 099cf0d068..d935a4e6e1 100644
--- a/internal/command/org_policy_login_test.go
+++ b/internal/command/org_policy_login_test.go
@@ -1043,7 +1043,7 @@ func TestCommandSide_AddSecondFactorLoginPolicy(t *testing.T) {
 			r := &Commands{
 				eventstore: tt.fields.eventstore,
 			}
-			got, err := r.AddSecondFactorToLoginPolicy(tt.args.ctx, tt.args.factor, tt.args.resourceOwner)
+			got, _, err := r.AddSecondFactorToLoginPolicy(tt.args.ctx, tt.args.factor, tt.args.resourceOwner)
 			if tt.res.err == nil {
 				assert.NoError(t, err)
 			}
@@ -1194,7 +1194,7 @@ func TestCommandSide_RemoveSecondFactoroginPolicy(t *testing.T) {
 			r := &Commands{
 				eventstore: tt.fields.eventstore,
 			}
-			err := r.RemoveSecondFactorFromLoginPolicy(tt.args.ctx, tt.args.factor, tt.args.resourceOwner)
+			_, err := r.RemoveSecondFactorFromLoginPolicy(tt.args.ctx, tt.args.factor, tt.args.resourceOwner)
 			if tt.res.err == nil {
 				assert.NoError(t, err)
 			}
@@ -1310,7 +1310,7 @@ func TestCommandSide_AddMultiFactorLoginPolicy(t *testing.T) {
 			r := &Commands{
 				eventstore: tt.fields.eventstore,
 			}
-			got, err := r.AddMultiFactorToLoginPolicy(tt.args.ctx, tt.args.factor, tt.args.resourceOwner)
+			got, _, err := r.AddMultiFactorToLoginPolicy(tt.args.ctx, tt.args.factor, tt.args.resourceOwner)
 			if tt.res.err == nil {
 				assert.NoError(t, err)
 			}
@@ -1461,7 +1461,7 @@ func TestCommandSide_RemoveMultiFactorLoginPolicy(t *testing.T) {
 			r := &Commands{
 				eventstore: tt.fields.eventstore,
 			}
-			err := r.RemoveMultiFactorFromLoginPolicy(tt.args.ctx, tt.args.factor, tt.args.resourceOwner)
+			_, err := r.RemoveMultiFactorFromLoginPolicy(tt.args.ctx, tt.args.factor, tt.args.resourceOwner)
 			if tt.res.err == nil {
 				assert.NoError(t, err)
 			}
diff --git a/internal/command/project_application_key_model.go b/internal/command/project_application_key_model.go
index 979d7f3a21..2466a6e145 100644
--- a/internal/command/project_application_key_model.go
+++ b/internal/command/project_application_key_model.go
@@ -93,6 +93,7 @@ func (wm *ApplicationKeyWriteModel) Reduce() error {
 			wm.ClientID = e.ClientID
 			wm.ExpirationDate = e.ExpirationDate
 			wm.KeyType = e.KeyType
+			wm.State = domain.AppStateActive
 		case *project.ApplicationKeyRemovedEvent:
 			wm.State = domain.AppStateRemoved
 		case *project.ProjectRemovedEvent:
diff --git a/proto/zitadel/user.proto b/proto/zitadel/user.proto
index 0b90d33c2e..94c9a00dcc 100644
--- a/proto/zitadel/user.proto
+++ b/proto/zitadel/user.proto
@@ -262,6 +262,7 @@ message UserGrant {
     
     string project_id = 14;
     string project_name = 15;
+    string project_grant_id = 16;
 }
 
 enum UserGrantState {