diff --git a/src/Foundation/Authorization.hs b/src/Foundation/Authorization.hs
index 507c0619e..770ef64f9 100644
--- a/src/Foundation/Authorization.hs
+++ b/src/Foundation/Authorization.hs
@@ -1531,7 +1531,10 @@ tagAccessPredicate AuthIsExternal = APDB $ \_ _ _ route _ -> exceptT return retu
     CourseR _ _ _ (CUserR cID) -> return cID
     _other -> throwError =<< $unsupportedAuthPredicate AuthIsExternal route
   referencedUser' <- catchIfMExceptT (const $ unauthorizedI MsgUnauthorizedSelf) (const True :: CryptoIDError -> Bool) $ decrypt referencedUser
-  let availableSources = error "tagAccessPredicate: no available sources yet" -- TODO: implement once config supports source idents
+  availableSources <- getsYesod (view _appUserAuthConf) >>= \case
+    UserAuthConfSingleSource{..} -> return . singleton $ case userAuthConfSingleSource of
+      AuthSourceConfAzureAdV2 AzureConf{..} -> AuthSourceIdAzure azureConfTenantId
+      AuthSourceConfLdap      LdapConf{..}  -> AuthSourceIdLdap  ldapConfSourceId
   maybeTMExceptT (unauthorizedI MsgUnauthorizedExternal) $ do
     Entity _ User{userIdent} <- MaybeT $ getEntity referencedUser'
     guardM . lift $ exists [ ExternalUserUser ==. userIdent, ExternalUserSource <-. availableSources ]