diff --git a/tests/tine20/Tinebase/Auth/MFATest.php b/tests/tine20/Tinebase/Auth/MFATest.php
index c9300e4197d..9b2467f66c2 100644
--- a/tests/tine20/Tinebase/Auth/MFATest.php
+++ b/tests/tine20/Tinebase/Auth/MFATest.php
@@ -461,6 +461,8 @@ public function testGenericSmsAdapter()
 
     public function testWebAuthNPwdLessLogin(): void
     {
+        $this->_skipIfLDAPBackend('fails with TypeError in \Tinebase_Model_MFA_UserConfig::updateUserOldRecordCallback');
+
         $this->_originalTestUser->mfa_configs = new Tinebase_Record_RecordSet(
             Tinebase_Model_MFA_UserConfig::class, [[
             Tinebase_Model_MFA_UserConfig::FLD_ID => 'unittest',
diff --git a/tine20/Tinebase/User/ActiveDirectory.php b/tine20/Tinebase/User/ActiveDirectory.php
index 8187362e1b9..bdca74beef9 100644
--- a/tine20/Tinebase/User/ActiveDirectory.php
+++ b/tine20/Tinebase/User/ActiveDirectory.php
@@ -167,12 +167,14 @@ public function addUserToSyncBackend(Tinebase_Model_FullUser $_user)
 
         // add user to primary group and set primary group
         /** @noinspection PhpUndefinedMethodInspection */
-        Tinebase_Group::getInstance()->addGroupMemberInSyncBackend(Tinebase_Config::getInstance()->{Tinebase_Config::USERBACKEND}->{Tinebase_Config::SYNCOPTIONS}->{Tinebase_Config::SYNC_DEVIATED_PRIMARY_GROUP_UUID} ?: $_user->accountPrimaryGroup, $_user, false);
+        Tinebase_Group::getInstance()->addGroupMemberInSyncBackend(Tinebase_Config::getInstance()->
+            {Tinebase_Config::USERBACKEND}->{Tinebase_Config::SYNCOPTIONS}->{Tinebase_Config::SYNC_DEVIATED_PRIMARY_GROUP_UUID}
+            ?: $_user->accountPrimaryGroup, $userId, false);
         
         // set primary group id
         $this->_ldap->updateProperty($dn, array('primarygroupid' => $primaryGroupId));
 
-        $user = $this->getUserByPropertyFromSyncBackend('accountId', $_user, 'Tinebase_Model_FullUser');
+        $user = $this->getUserByPropertyFromSyncBackend('accountId', $userId, 'Tinebase_Model_FullUser');
 
         if (Tinebase_Config::getInstance()->{Tinebase_Config::USERBACKEND}->{Tinebase_Config::SYNCOPTIONS}->{Tinebase_Config::PWD_CANT_CHANGE}) {
             $user->accountId = $_user->accountId;
diff --git a/tine20/Tinebase/User/Ldap.php b/tine20/Tinebase/User/Ldap.php
index 09927e59192..5cbade6b4a1 100644
--- a/tine20/Tinebase/User/Ldap.php
+++ b/tine20/Tinebase/User/Ldap.php
@@ -350,7 +350,7 @@ public function getLdap()
     }
 
     /**
-     * get user by login name
+     * get user by given property
      *
      * @param   string $_property
      * @param   string $_accountId
@@ -364,8 +364,13 @@ public function getUserByPropertyFromSyncBackend($_property, $_accountId, $_acco
             throw new Tinebase_Exception_NotFound("can't get user by property $_property. property not supported by ldap backend.");
         }
 
+        // TODO this seems not to be correct - only do this in certain cases?
         if ('accountId' === $_property && ! $_accountId instanceof Tinebase_Model_FullUser) {
-            $_accountId = $this->getFullUserById($_accountId);
+            try {
+                $_accountId = $this->getFullUserById($_accountId);
+            } catch (Tinebase_Exception_NotFound $tenf) {
+                // user might not exist, yet (i.e. was just added via \Tinebase_User_ActiveDirectory::addUserToSyncBackend)
+            }
         }
         $ldapEntry = $this->_getLdapEntry($_property, $_accountId);