diff --git a/elixir/apps/domain/lib/domain/auth/provider/changeset.ex b/elixir/apps/domain/lib/domain/auth/provider/changeset.ex
index f939ee54d..957379b7d 100644
--- a/elixir/apps/domain/lib/domain/auth/provider/changeset.ex
+++ b/elixir/apps/domain/lib/domain/auth/provider/changeset.ex
@@ -85,6 +85,10 @@ defmodule Domain.Auth.Provider.Changeset do
       name: :auth_providers_account_id_oidc_adapter_index,
       message: "this provider is already connected"
     )
+    |> unique_constraint(:base,
+      name: :unique_account_adapter_index,
+      message: "only one of this adapter type may be enabled per account"
+    )
     |> validate_provisioner()
     |> validate_required(@required_fields)
   end
diff --git a/elixir/apps/domain/priv/repo/migrations/20250422031005_create_unique_index_auth_provider_account_adapter.exs b/elixir/apps/domain/priv/repo/migrations/20250422031005_create_unique_index_auth_provider_account_adapter.exs
new file mode 100644
index 000000000..2670e44bd
--- /dev/null
+++ b/elixir/apps/domain/priv/repo/migrations/20250422031005_create_unique_index_auth_provider_account_adapter.exs
@@ -0,0 +1,14 @@
+defmodule Domain.Repo.Migrations.CreateUniqueIndexAuthProviderAccountAdapter do
+  use Ecto.Migration
+
+  def change do
+    create(
+      index(:auth_providers, [:account_id, :adapter],
+        unique: true,
+        name: :unique_account_adapter_index,
+        where:
+          "deleted_at IS NULL AND adapter IN ('mock', 'google_workspace', 'okta', 'jumpcloud', 'microsoft_entra')"
+      )
+    )
+  end
+end