diff --git a/backend/atlas_portal/keycloak.py b/backend/atlas_portal/keycloak.py
index 64f9b8b..970f009 100644
--- a/backend/atlas_portal/keycloak.py
+++ b/backend/atlas_portal/keycloak.py
@@ -94,7 +94,9 @@ class KeycloakAdminClient:
 
     def find_user(self, username: str) -> dict[str, Any] | None:
         url = f"{settings.KEYCLOAK_ADMIN_URL}/admin/realms/{settings.KEYCLOAK_REALM}/users"
-        params = {"username": username, "exact": "true"}
+        # Keycloak 26.x in our environment intermittently 400s on filtered user queries unless `max` is set.
+        # Use `max=1` and exact username match to keep admin calls reliable for portal provisioning.
+        params = {"username": username, "exact": "true", "max": "1"}
         with httpx.Client(timeout=settings.HTTP_CHECK_TIMEOUT_SEC) as client:
             resp = client.get(url, params=params, headers=self._headers())
             resp.raise_for_status()