diff --git a/backend/helpers/provision.py b/backend/helpers/provision.py
index 95e8fee60d9f797d230e59a273dc68574a68da52..237ad5d1662642a7227b6e0d434a8192c77e7127 100644
--- a/backend/helpers/provision.py
+++ b/backend/helpers/provision.py
@@ -139,12 +139,15 @@ class ScimUser:
 # do the corresponding SCIM calls to those apps to do the actual provisioning.
 class Provision:
     def __init__(self):
-        self.initialised = False
+        # Set up kratos API client.
+        kratos_admin_api_configuration = ory_kratos_client.Configuration(host=config.KRATOS_ADMIN_URL, discard_unknown_keys=True)
+        kratos_admin_client = ory_kratos_client.ApiClient(kratos_admin_api_configuration)
+        self.kratos_identity_api = identity_api.IdentityApi(kratos_admin_client)
 
     # We don't do this in init, because at the moment this object is created we
     # might not have performed the database migration yet that creates the scim
-    # config columns. This function will be called once automatically at the
-    # start of `reconcile`.
+    # config columns. This function will be called at the start of `reconcile`
+    # to make sure we have the most recent list of SCIM-enabled apps.
     def _load_config(self):
         logging.info("Loading SCIM configuration from database for all apps.")
         database_apps = App.query.filter(App.scim_url != None).all()
@@ -160,22 +163,15 @@ class Provision:
         self.enabled = enabled
         self.scim_apps = apps
 
-        # Set up kratos API client.
-        kratos_admin_api_configuration = ory_kratos_client.Configuration(host=config.KRATOS_ADMIN_URL, discard_unknown_keys=True)
-        kratos_admin_client = ory_kratos_client.ApiClient(kratos_admin_api_configuration)
-        self.kratos_identity_api = identity_api.IdentityApi(kratos_admin_client)
-
-        self.initialised = True
-
     def app_supported(self, app):
         return (app.id in self.scim_apps)
 
     def reconcile(self):
-        logging.info("Reconciling user provisioning")
-        if not self.initialised:
-            self._load_config()
+        logging.info("User provisioning run.")
+        self._load_config()
         # Collect existing in-app users and groups in advance so we can compare to that
         # efficiently when we go over the dashboard users.
+        # TODO: only do this for apps that we have any use for.
         existing_users = {}
         existing_groups = {}
         admin_group = {}