diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb
index 0e9b04758..7543f7984 100644
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@@ -33,10 +33,14 @@ class UsersController < ApplicationController
   end
 
   def search
-    users = User.search_by_name(params["query"]).limit(20)
-    x = {}
-    users.each { |user| x[user.id] = { value: user.name, hint: user.email } }
-    render json: x.to_json
+    user_options = current_user.support? ? User.all : User.affiliated_users(current_user.organisation)
+    users = user_options.search_by(params["query"]).limit(20)
+
+    user_data = users.each_with_object({}) do |user, hash|
+      hash[user.id] = { value: user.name, hint: user.email }
+    end
+
+    render json: user_data.to_json
   end
 
   def resend_invite
diff --git a/app/models/user.rb b/app/models/user.rb
index d25faaa53..724c51409 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -77,6 +77,7 @@ class User < ApplicationRecord
   scope :deactivated, -> { where(active: false) }
   scope :active_status, -> { where(active: true).where.not(last_sign_in_at: nil) }
   scope :visible, -> { where(discarded_at: nil) }
+  scope :affiliated_users, ->(organisation) { where(organisation: organisation.child_organisations + [organisation] + organisation.parent_organisations) }
 
   def lettings_logs
     if support?
diff --git a/spec/requests/users_controller_spec.rb b/spec/requests/users_controller_spec.rb
index bb0a1cca3..28798e51b 100644
--- a/spec/requests/users_controller_spec.rb
+++ b/spec/requests/users_controller_spec.rb
@@ -117,6 +117,13 @@ RSpec.describe UsersController, type: :request do
         expect(response).to redirect_to("/account/sign-in")
       end
     end
+
+    describe "#search" do
+      it "redirects to the sign in page" do
+        get "/users/search"
+        expect(response).to redirect_to("/account/sign-in")
+      end
+    end
   end
 
   context "when user is signed in as a data provider" do
@@ -404,6 +411,25 @@ RSpec.describe UsersController, type: :request do
         expect(response).to have_http_status(:unauthorized)
       end
     end
+
+    describe "#search" do
+      let(:parent_relationship) { create(:organisation_relationship, parent_organisation: user.organisation) }
+      let(:child_relationship) { create(:organisation_relationship, child_organisation: user.organisation) }
+      let!(:org_user) { create(:user, organisation: user.organisation, name: "test_name") }
+      let!(:managing_user) { create(:user, organisation: child_relationship.parent_organisation, name: "stock_owner_test_name") }
+      let!(:owner_user) { create(:user, organisation: parent_relationship.child_organisation, name: "managing_agent_test_name") }
+
+      before do
+        create(:user, name: "other_organisation_test_name")
+      end
+
+      it "only searches within the current user's organisation, managing agents and stock owners" do
+        get "/users/search", headers:, params: { query: "test_name" }
+        result = JSON.parse(response.body)
+        expect(result.count).to eq(3)
+        expect(result.keys).to match_array([org_user.id.to_s, managing_user.id.to_s, owner_user.id.to_s])
+      end
+    end
   end
 
   context "when user is signed in as a data coordinator" do
@@ -1174,6 +1200,25 @@ RSpec.describe UsersController, type: :request do
         expect(response).to have_http_status(:unauthorized)
       end
     end
+
+    describe "#search" do
+      let(:parent_relationship) { create(:organisation_relationship, parent_organisation: user.organisation) }
+      let(:child_relationship) { create(:organisation_relationship, child_organisation: user.organisation) }
+      let!(:org_user) { create(:user, organisation: user.organisation, email: "test_name@example.com") }
+      let!(:managing_user) { create(:user, organisation: child_relationship.parent_organisation, email: "stock_owner_test_name@example.com") }
+      let!(:owner_user) { create(:user, organisation: parent_relationship.child_organisation, email: "managing_agent_test_name@example.com") }
+
+      before do
+        create(:user, email: "other_organisation_test_name@example.com")
+      end
+
+      it "only searches within the current user's organisation, managing agents and stock owners" do
+        get "/users/search", headers:, params: { query: "test_name" }
+        result = JSON.parse(response.body)
+        expect(result.count).to eq(3)
+        expect(result.keys).to match_array([org_user.id.to_s, managing_user.id.to_s, owner_user.id.to_s])
+      end
+    end
   end
 
   context "when user is signed in as a support user" do
@@ -2111,6 +2156,22 @@ RSpec.describe UsersController, type: :request do
         expect(page).not_to have_link("User to be deleted")
       end
     end
+
+    describe "#search" do
+      let(:parent_relationship) { create(:organisation_relationship, parent_organisation: user.organisation) }
+      let(:child_relationship) { create(:organisation_relationship, child_organisation: user.organisation) }
+      let!(:org_user) { create(:user, organisation: user.organisation, name: "test_name") }
+      let!(:managing_user) { create(:user, organisation: child_relationship.parent_organisation, name: "stock_owner_test_name") }
+      let!(:owner_user) { create(:user, organisation: parent_relationship.child_organisation, name: "managing_agent_test_name") }
+      let!(:other_user) { create(:user, name: "other_organisation_test_name") }
+
+      it "searches all users" do
+        get "/users/search", headers:, params: { query: "test_name" }
+        result = JSON.parse(response.body)
+        expect(result.count).to eq(4)
+        expect(result.keys).to match_array([org_user.id.to_s, managing_user.id.to_s, owner_user.id.to_s, other_user.id.to_s])
+      end
+    end
   end
 
   describe "title link" do