diff --git a/scripts/tests/test_portal_onboarding_flow.py b/scripts/tests/test_portal_onboarding_flow.py
index a34c36d..c75ec56 100644
--- a/scripts/tests/test_portal_onboarding_flow.py
+++ b/scripts/tests/test_portal_onboarding_flow.py
@@ -387,14 +387,21 @@ def main() -> int:
     if isinstance(required_actions, list):
         required = {a for a in required_actions if isinstance(a, str)}
 
-    missing = [name for name in ("UPDATE_PASSWORD", "VERIFY_EMAIL") if name not in required]
-    if missing:
-        raise SystemExit(f"Keycloak user missing required actions {missing}: requiredActions={sorted(required)}")
-    if "CONFIGURE_TOTP" in required:
+    unexpected = sorted(required.intersection({"UPDATE_PASSWORD", "VERIFY_EMAIL", "CONFIGURE_TOTP"}))
+    if unexpected:
         raise SystemExit(
-            f"Keycloak user should not require CONFIGURE_TOTP at first login: requiredActions={sorted(required)}"
+            "Keycloak user should not require actions at first login "
+            f"(Vaultwarden-first onboarding): unexpected requiredActions={unexpected} full={sorted(required)}"
         )
 
+    email_verified = full.get("emailVerified")
+    if email_verified is not True:
+        raise SystemExit(f"Keycloak user should have emailVerified=true: emailVerified={email_verified!r}")
+
+    kc_email = full.get("email")
+    if isinstance(kc_email, str) and contact_email and kc_email != contact_email:
+        raise SystemExit(f"Keycloak user email mismatch: expected {contact_email!r} got {kc_email!r}")
+
     print(f"PASS: onboarding provisioning completed for {request_code} ({username})")
     return 0