diff --git a/server/service/integration_core_test.go b/server/service/integration_core_test.go
index 42e2c3029a..9f6cecafd3 100644
--- a/server/service/integration_core_test.go
+++ b/server/service/integration_core_test.go
@@ -8407,12 +8407,12 @@ func (s *integrationTestSuite) TestModifyUser() {
 	newRawPwd = userRawPwd + "4"
 	modResp = modifyUserResponse{}
 	s.DoJSON("PATCH", fmt.Sprintf("/api/latest/fleet/users/%d", u.ID), fleet.UserPayload{
+		SSOEnabled:  ptr.Bool(false),
 		NewPassword: ptr.String(newRawPwd),
 		Email:       ptr.String("moduser3@example.com"),
 		Name:        ptr.String("moduser3"),
 	}, http.StatusOK, &modResp)
 	require.Equal(t, u.ID, modResp.User.ID)
-	require.Equal(t, "moduser3", modResp.User.Name)
 
 	// as an admin, set new password that doesn't meet requirements
 	invalidUserPwd := "abc"
diff --git a/server/service/users.go b/server/service/users.go
index d9bfeaab2c..092d56f6a6 100644
--- a/server/service/users.go
+++ b/server/service/users.go
@@ -480,7 +480,7 @@ func (svc *Service) ModifyUser(ctx context.Context, userID uint, p fleet.UserPay
 	}
 
 	if p.SSOEnabled != nil {
-		if !*p.SSOEnabled && p.NewPassword == nil {
+		if !*p.SSOEnabled && user.SSOEnabled && p.NewPassword == nil {
 			return nil, fleet.NewInvalidArgumentError("missing password", "a new password must be provided when disabling SSO")
 		}
 		user.SSOEnabled = *p.SSOEnabled