diff --git a/src/user-directory.js b/src/user-directory.js
index 0004a2bd7..7a8cffce0 100644
--- a/src/user-directory.js
+++ b/src/user-directory.js
@@ -41,6 +41,7 @@ async function setProfileConfig(profileConfig, options, auditSource) {
         for (const user of allUsers) {
             if (user.twoFactorAuthenticationEnabled) continue;
             if (options.persistUserIdSessions === user.id) continue; // do not logout the API caller
+            if (!user.username) continue; // if a user has no username set yet
 
             await tokens.delByUserIdAndType(user.id, oidcClients.ID_WEBADMIN);
             await oidcServer.revokeByUsername(user.username);