diff --git a/backend/atlas_portal/provisioning.py b/backend/atlas_portal/provisioning.py
index b231a07..ead8b24 100644
--- a/backend/atlas_portal/provisioning.py
+++ b/backend/atlas_portal/provisioning.py
@@ -181,15 +181,14 @@ def provision_access_request(request_code: str) -> ProvisionResult:
                     email = contact_email.strip()
                     if not email:
                         raise RuntimeError("missing verified email address")
-                    email_is_verified = bool(email_verified_at)
-                    required_actions = ["UPDATE_PASSWORD", "CONFIGURE_TOTP"]
-                    if not email_is_verified:
-                        required_actions.append("VERIFY_EMAIL")
+                    # Always enforce email verification in Keycloak itself (even if the portal
+                    # already verified an external email before approval).
+                    required_actions = ["UPDATE_PASSWORD", "VERIFY_EMAIL", "CONFIGURE_TOTP"]
                     payload = {
                         "username": username,
                         "enabled": True,
                         "email": email,
-                        "emailVerified": email_is_verified,
+                        "emailVerified": False,
                         "requiredActions": required_actions,
                         "attributes": {MAILU_EMAIL_ATTR: [mailu_email]},
                     }