diff --git a/services/keycloak/realm-settings-job.yaml b/services/keycloak/realm-settings-job.yaml
index cb05a6d..bd4fa25 100644
--- a/services/keycloak/realm-settings-job.yaml
+++ b/services/keycloak/realm-settings-job.yaml
@@ -2,7 +2,7 @@
 apiVersion: batch/v1
 kind: Job
 metadata:
-  name: keycloak-realm-settings-11
+  name: keycloak-realm-settings-12
   namespace: sso
 spec:
   backoffLimit: 0
@@ -137,6 +137,56 @@ spec:
               if status not in (200, 204):
                   raise SystemExit(f"Unexpected realm update response: {status}")
 
+              # Ensure required custom user-profile attributes exist.
+              profile_url = f"{base_url}/admin/realms/{realm}/users/profile"
+              status, profile = http_json("GET", profile_url, access_token)
+              if status == 200 and isinstance(profile, dict):
+                  attrs = profile.get("attributes")
+                  if not isinstance(attrs, list):
+                      attrs = []
+                  has_mailu_email = any(
+                      isinstance(item, dict) and item.get("name") == "mailu_email" for item in attrs
+                  )
+                  if not has_mailu_email:
+                      attrs.append(
+                          {
+                              "name": "mailu_email",
+                              "displayName": "Atlas Mailbox",
+                              "multivalued": False,
+                              "annotations": {"group": "user-metadata"},
+                              "permissions": {"view": ["admin"], "edit": ["admin"]},
+                              "validations": {"email": {}, "length": {"max": 255}},
+                          }
+                      )
+                      profile["attributes"] = attrs
+                      status, _ = http_json("PUT", profile_url, access_token, profile)
+                      if status not in (200, 204):
+                          raise SystemExit(f"Unexpected user-profile update response: {status}")
+
+              # Ensure basic realm groups exist for provisioning.
+              for group_name in ("dev", "admin"):
+                  status, groups = http_json(
+                      "GET",
+                      f"{base_url}/admin/realms/{realm}/groups?search={urllib.parse.quote(group_name)}",
+                      access_token,
+                  )
+                  exists = False
+                  if status == 200 and isinstance(groups, list):
+                      for item in groups:
+                          if isinstance(item, dict) and item.get("name") == group_name:
+                              exists = True
+                              break
+                  if exists:
+                      continue
+                  status, _ = http_json(
+                      "POST",
+                      f"{base_url}/admin/realms/{realm}/groups",
+                      access_token,
+                      {"name": group_name},
+                  )
+                  if status not in (201, 204):
+                      raise SystemExit(f"Unexpected group create response for {group_name}: {status}")
+
               # Ensure MFA is on by default for newly-created users.
               status, required_actions = http_json(
                   "GET",