diff --git a/app/controllers/admin/users_controller.rb b/app/controllers/admin/users_controller.rb
index fdc0815a01f..932de723b6f 100644
--- a/app/controllers/admin/users_controller.rb
+++ b/app/controllers/admin/users_controller.rb
@@ -423,6 +423,8 @@ class Admin::UsersController < Admin::AdminController
       render_serialized(user, AdminDetailedUserSerializer, root: false)
     rescue ActiveRecord::RecordInvalid => ex
       render json: failed_json.merge(message: ex.message), status: 403
+    rescue DiscourseSingleSignOn::BlankExternalId => ex
+      render json: failed_json.merge(message: I18n.t('sso.blank_id_error')), status: 422
     end
   end
 
diff --git a/config/locales/server.en.yml b/config/locales/server.en.yml
index 312fcbebc0f..80d2a02cf4f 100644
--- a/config/locales/server.en.yml
+++ b/config/locales/server.en.yml
@@ -2231,6 +2231,7 @@ en:
     unknown_error: "There is a problem with your account. Please contact the site's administrator."
     timeout_expired: "Account login timed out, please try logging in again."
     no_email: "No email address was provided. Please contact the site's administrator."
+    blank_id_error: "The `external_id` is required but was blank"
     email_error: "An account could not be registered with the email address <b>%{email}</b>. Please contact the site's administrator."
     missing_secret: "SSO authentication failed due to missing secret. Contact the site administrators to fix this problem."
 
diff --git a/spec/requests/admin/users_controller_spec.rb b/spec/requests/admin/users_controller_spec.rb
index 2e787bb4ad6..49a730ef641 100644
--- a/spec/requests/admin/users_controller_spec.rb
+++ b/spec/requests/admin/users_controller_spec.rb
@@ -872,6 +872,16 @@ RSpec.describe Admin::UsersController do
       expect(JSON.parse(response.body)["message"]).to include(I18n.t('sso.login_error'))
       expect(JSON.parse(response.body)["message"]).not_to include(correct_payload["sig"])
     end
+
+    it "returns 404 if the external id does not exist" do
+      sso.name = "Dr. Claw"
+      sso.username = "dr_claw"
+      sso.email = "dr@claw.com"
+      sso.external_id = ""
+      post "/admin/users/sync_sso.json", params: Rack::Utils.parse_query(sso.payload)
+      expect(response.status).to eq(422)
+      expect(JSON.parse(response.body)["message"]).to include(I18n.t('sso.blank_id_error'))
+    end
   end
 
   describe '#disable_second_factor' do