diff --git a/enterprise/server/routes/auth.py b/enterprise/server/routes/auth.py
index e1b6d15e15..218ba4c2fe 100644
--- a/enterprise/server/routes/auth.py
+++ b/enterprise/server/routes/auth.py
@@ -175,10 +175,20 @@ async def keycloak_callback(
         # For duplicate_email errors, clean up the newly created Keycloak user
         # (only if they're not already in our UserStore, i.e., they're a new user)
         if authorization.error_detail == 'duplicate_email':
-            existing_user = await UserStore.get_user_by_id(user_info.sub)
-            if not existing_user:
-                # New user created during OAuth should be deleted from Keycloak
-                await token_manager.delete_keycloak_user(user_info.sub)
+            try:
+                existing_user = await UserStore.get_user_by_id(user_info.sub)
+                if not existing_user:
+                    # New user created during OAuth should be deleted from Keycloak
+                    await token_manager.delete_keycloak_user(user_info.sub)
+                    logger.info(
+                        f'Deleted orphaned Keycloak user {user_info.sub} '
+                        'after duplicate_email rejection'
+                    )
+            except Exception as e:
+                # Log but don't fail - user should still get 401 response
+                logger.warning(
+                    f'Failed to clean up orphaned Keycloak user {user_info.sub}: {e}'
+                )
         # Return unauthorized
         raise HTTPException(
             status_code=status.HTTP_401_UNAUTHORIZED,