diff --git a/apiserver/internal/repos/user/user.go b/apiserver/internal/repos/user/user.go
index aaadd72f..3de2b41a 100644
--- a/apiserver/internal/repos/user/user.go
+++ b/apiserver/internal/repos/user/user.go
@@ -10,6 +10,8 @@ import (
 	"gorm.io/gorm"
 )
 
+var ErrDisabledUser = errors.New("account is disabled")
+
 type IUserRepo interface {
 	CreateUser(c context.Context, user *models.User) error
 	GetUser(c context.Context, id int) (*models.User, error)
@@ -73,6 +75,9 @@ func (r *UserRepository) FindByEntraID(c context.Context, directoryID string, ob
 func (r *UserRepository) EnsureUser(c context.Context, directoryID string, objectID string) (*models.User, error) {
 	user, err := r.FindByEntraID(c, directoryID, objectID)
 	if err == nil {
+		if user.Disabled {
+			return nil, ErrDisabledUser
+		}
 		return user, nil
 	}
 
diff --git a/apiserver/internal/repos/user/user_test.go b/apiserver/internal/repos/user/user_test.go
index 87ab50d9..8040521d 100644
--- a/apiserver/internal/repos/user/user_test.go
+++ b/apiserver/internal/repos/user/user_test.go
@@ -144,6 +144,24 @@ func (s *UserTestSuite) TestEnsureUserReturnsExisting() {
 	s.Equal(existing.ID, user.ID)
 }
 
+func (s *UserTestSuite) TestEnsureUserDisabled() {
+	ctx := context.Background()
+
+	disabled := &models.User{
+		DirectoryID: "disabled-dir",
+		ObjectID:    "disabled-obj",
+		Disabled:    true,
+		CreatedAt:   time.Now(),
+	}
+
+	err := s.DB.Create(disabled).Error
+	s.Require().NoError(err)
+
+	_, err = s.repo.EnsureUser(ctx, "disabled-dir", "disabled-obj")
+	s.Require().Error(err)
+	s.ErrorIs(err, ErrDisabledUser)
+}
+
 func (s *UserTestSuite) TestEnsureUserRegistrationDisabled() {
 	ctx := context.Background()