diff --git a/src/settings.js b/src/settings.js
index d1382d0e4..4ca47e3f6 100644
--- a/src/settings.js
+++ b/src/settings.js
@@ -499,6 +499,8 @@ function setExternalLdapConfig(externalLdapConfig, callback) {
     assert.strictEqual(typeof externalLdapConfig, 'object');
     assert.strictEqual(typeof callback, 'function');
 
+    if (settings.isDemo()) return callback(new BoxError(BoxError.BAD_FIELD, 'Not allowed in demo mode'));
+
     getExternalLdapConfig(function (error, currentConfig) {
         if (error) return callback(error);
 
@@ -597,6 +599,8 @@ function setDirectoryConfig(directoryConfig, callback) {
     assert.strictEqual(typeof directoryConfig, 'object');
     assert.strictEqual(typeof callback, 'function');
 
+    if (settings.isDemo()) return callback(new BoxError(BoxError.BAD_FIELD, 'Not allowed in demo mode'));
+
     settingsdb.set(exports.DIRECTORY_CONFIG_KEY, JSON.stringify(directoryConfig), function (error) {
         if (error) return callback(error);
 
diff --git a/src/users.js b/src/users.js
index d24a83939..871546be1 100644
--- a/src/users.js
+++ b/src/users.js
@@ -660,6 +660,8 @@ function setTwoFactorAuthenticationSecret(userId, callback) {
     userdb.get(userId, function (error, result) {
         if (error) return callback(error);
 
+        if (settings.isDemo() && result.username === constants.DEMO_USERNAME) return callback(new BoxError(BoxError.BAD_FIELD, 'Not allowed in demo mode'));
+
         if (result.twoFactorAuthenticationEnabled) return callback(new BoxError(BoxError.ALREADY_EXISTS));
 
         var secret = speakeasy.generateSecret({ name: `Cloudron ${settings.adminFqdn()} (${result.username})` });