diff --git a/src/users.js b/src/users.js
index ea121ad9f..4703c83c9 100644
--- a/src/users.js
+++ b/src/users.js
@@ -887,19 +887,33 @@ async function setupAccount(user, data, auditSource) {
     assert.strictEqual(typeof data, 'object');
     assert(auditSource && typeof auditSource === 'object');
 
-    const profileConfig = await userDirectory.getProfileConfig();
-
     const tmp = { inviteToken: '' };
 
-    if (profileConfig.lockUserProfiles) {
-        if (!user.username) throw new BoxError(BoxError.CONFLICT, 'Account cannot be setup without a username'); // error out if admin has not provided a username
-    } else {
-        if (data.username) tmp.username = data.username;
-        if (data.displayName) tmp.displayName = data.displayName;
+    if (data.username) {
+        const error = validateUsername(data.username);
+        if (error) throw error;
+
+        tmp.username = data.username;
+    }
+
+    if (data.displayName) {
+        const error = validateDisplayName(data.displayName);
+        if (error) throw error;
+
+        tmp.displayName = data.displayName;
+    }
+
+    const error = validatePassword(data.password);
+    if (error) throw error;
+
+    const profileConfig = await userDirectory.getProfileConfig();
+
+    // error out if admin has not provided a username
+    if (profileConfig.lockUserProfiles && !user.username) {
+        throw new BoxError(BoxError.CONFLICT, 'Account cannot be setup without a username');
     }
 
     await update(user, tmp, auditSource);
-
     await setPassword(user, data.password, auditSource);
 
     const token = { clientId: oidcClients.ID_WEBADMIN, identifier: user.id, expires: Date.now() + constants.DEFAULT_TOKEN_EXPIRATION_MSECS, allowedIpRanges: '' };