diff --git a/cameleer3-server-app/src/main/java/com/cameleer3/server/app/controller/UserAdminController.java b/cameleer3-server-app/src/main/java/com/cameleer3/server/app/controller/UserAdminController.java
index 4ff56d27..387cfd64 100644
--- a/cameleer3-server-app/src/main/java/com/cameleer3/server/app/controller/UserAdminController.java
+++ b/cameleer3-server-app/src/main/java/com/cameleer3/server/app/controller/UserAdminController.java
@@ -207,8 +207,13 @@ public class UserAdminController {
             @PathVariable String userId,
             @Valid @RequestBody SetPasswordRequest request,
             HttpServletRequest httpRequest) {
+        // Block local UI users from resetting passwords when OIDC is enabled,
+        // but allow M2M callers (SaaS platform) identified by "oidc:" principal prefix
         if (oidcEnabled) {
-            return ResponseEntity.badRequest().build();
+            String caller = httpRequest.getUserPrincipal() != null ? httpRequest.getUserPrincipal().getName() : "";
+            if (!caller.startsWith("oidc:")) {
+                return ResponseEntity.badRequest().build();
+            }
         }
         // Extract bare username from "user:username" format for policy check
         String username = userId.startsWith("user:") ? userId.substring(5) : userId;