diff --git a/packages/sync-server/src/accounts/openid.js b/packages/sync-server/src/accounts/openid.js
index ba734f30828..a44c158238b 100644
--- a/packages/sync-server/src/accounts/openid.js
+++ b/packages/sync-server/src/accounts/openid.js
@@ -192,8 +192,8 @@ export async function loginWithOpenIdFinalize(body) {
       userInfo.login ??
       userInfo.email ??
       userInfo.id ??
-      userInfo.name ??
-      'default-username';
+      userInfo.sub;
+
     if (identity == null) {
       return { error: 'openid-grant-failed: no identification was found' };
     }
@@ -205,7 +205,10 @@ export async function loginWithOpenIdFinalize(body) {
           'SELECT count(*) as countUsersWithUserName FROM users WHERE user_name <> ?',
           [''],
         );
-        if (countUsersWithUserName === 0) {
+        if (
+          countUsersWithUserName === 0 ||
+          config.get('userCreationMode') === 'login'
+        ) {
           userId = uuidv4();
           // Check if user was created by another transaction
           const existingUser = accountDb.first(
@@ -216,18 +219,21 @@ export async function loginWithOpenIdFinalize(body) {
             throw new Error('user-already-exists');
           }
           accountDb.mutate(
-            'INSERT INTO users (id, user_name, display_name, enabled, owner, role) VALUES (?, ?, ?, 1, 1, ?)',
+            'INSERT INTO users (id, user_name, display_name, enabled, owner, role) VALUES (?, ?, ?, 1, ?, ?)',
             [
               userId,
               identity,
               userInfo.name ?? userInfo.email ?? identity,
-              'ADMIN',
+              countUsersWithUserName === 0 ? '1' : '0',
+              countUsersWithUserName === 0 ? 'ADMIN' : 'BASIC',
             ],
           );
 
-          const userFromPasswordMethod = getUserByUsername('');
-          if (userFromPasswordMethod) {
-            transferAllFilesFromUser(userId, userFromPasswordMethod.user_id);
+          if (countUsersWithUserName === 0) {
+            const userFromPasswordMethod = getUserByUsername('');
+            if (userFromPasswordMethod) {
+              transferAllFilesFromUser(userId, userFromPasswordMethod.user_id);
+            }
           }
         } else {
           const { id: userIdFromDb, display_name: displayName } =
diff --git a/packages/sync-server/src/config-types.ts b/packages/sync-server/src/config-types.ts
index 3e9e76d1365..c3c0367791c 100644
--- a/packages/sync-server/src/config-types.ts
+++ b/packages/sync-server/src/config-types.ts
@@ -40,4 +40,5 @@ export interface Config {
   };
   token_expiration?: 'never' | 'openid-provider' | number;
   enforceOpenId: boolean;
+  userCreationMode?: 'manual' | 'login';
 }
diff --git a/packages/sync-server/src/load-config.js b/packages/sync-server/src/load-config.js
index f39c6492b08..4bfc8ed3b63 100644
--- a/packages/sync-server/src/load-config.js
+++ b/packages/sync-server/src/load-config.js
@@ -253,6 +253,13 @@ const configSchema = convict({
     default: false,
     env: 'ACTUAL_OPENID_ENFORCE',
   },
+
+  userCreationMode: {
+    doc: 'Determines how users can be created.',
+    format: ['manual', 'login'],
+    default: 'manual',
+    env: 'ACTUAL_USER_CREATION_MODE',
+  },
 });
 
 let configPath = null;
diff --git a/upcoming-release-notes/4421.md b/upcoming-release-notes/4421.md
new file mode 100644
index 00000000000..3d74843652e
--- /dev/null
+++ b/upcoming-release-notes/4421.md
@@ -0,0 +1,6 @@
+---
+category: Enhancements
+authors: [lelemm]
+---
+
+Added `ACTUAL_USER_CREATION_MODE=login` enviroment variable to create users on login