diff --git a/apps/files_external/lib/Controller/AjaxController.php b/apps/files_external/lib/Controller/AjaxController.php
index 72518106530..6ec60406d0c 100644
--- a/apps/files_external/lib/Controller/AjaxController.php
+++ b/apps/files_external/lib/Controller/AjaxController.php
@@ -13,6 +13,7 @@ use OCA\Files_External\Lib\Auth\PublicKey\RSA;
 use OCA\Files_External\Settings\Admin;
 use OCP\AppFramework\Controller;
 use OCP\AppFramework\Http;
+use OCP\AppFramework\Http\Attribute\AuthorizedAdminSetting;
 use OCP\AppFramework\Http\Attribute\NoAdminRequired;
 use OCP\AppFramework\Http\Attribute\PasswordConfirmationRequired;
 use OCP\AppFramework\Http\JSONResponse;
@@ -54,6 +55,7 @@ class AjaxController extends Controller {
 	 * @param int|null $offset The offset from which to start returning results
 	 * @return JSONResponse
 	 */
+	#[AuthorizedAdminSetting(settings: Admin::class)]
 	public function getApplicableEntities(string $pattern = '', ?int $limit = null, ?int $offset = null): JSONResponse {
 		$groups = [];
 		foreach ($this->groupManager->search($pattern, $limit, $offset) as $group) {
diff --git a/apps/files_external/tests/Controller/AjaxControllerTest.php b/apps/files_external/tests/Controller/AjaxControllerTest.php
index 7fd5255e93a..5a2e0981ebc 100644
--- a/apps/files_external/tests/Controller/AjaxControllerTest.php
+++ b/apps/files_external/tests/Controller/AjaxControllerTest.php
@@ -13,6 +13,7 @@ use OCA\Files_External\Lib\Auth\Password\GlobalAuth;
 use OCA\Files_External\Lib\Auth\PublicKey\RSA;
 use OCA\Files_External\Settings\Admin;
 use OCP\AppFramework\Http\JSONResponse;
+use OCP\IGroup;
 use OCP\IGroupManager;
 use OCP\IL10N;
 use OCP\IRequest;
@@ -67,6 +68,50 @@ class AjaxControllerTest extends TestCase {
 		parent::setUp();
 	}
 
+	public function testGetApplicableEntitiesReturnsGroupsAndUsers(): void {
+		$group = $this->createMock(IGroup::class);
+		$group->method('getGID')->willReturn('group1');
+		$group->method('getDisplayName')->willReturn('Group One');
+
+		$user = $this->createMock(IUser::class);
+		$user->method('getUID')->willReturn('user1');
+		$user->method('getDisplayName')->willReturn('User One');
+
+		$this->groupManager
+			->expects($this->once())
+			->method('search')
+			->with('test', 10, 0)
+			->willReturn([$group]);
+		$this->userManager
+			->expects($this->once())
+			->method('searchDisplayName')
+			->with('test', 10, 0)
+			->willReturn([$user]);
+
+		$response = $this->ajaxController->getApplicableEntities('test', 10, 0);
+		$this->assertSame(200, $response->getStatus());
+		$this->assertSame(['group1' => 'Group One'], $response->getData()['groups']);
+		$this->assertSame(['user1' => 'User One'], $response->getData()['users']);
+	}
+
+	public function testGetApplicableEntitiesWithNoResults(): void {
+		$this->groupManager
+			->expects($this->once())
+			->method('search')
+			->with('', null, null)
+			->willReturn([]);
+		$this->userManager
+			->expects($this->once())
+			->method('searchDisplayName')
+			->with('', null, null)
+			->willReturn([]);
+
+		$response = $this->ajaxController->getApplicableEntities();
+		$this->assertSame(200, $response->getStatus());
+		$this->assertSame([], $response->getData()['groups']);
+		$this->assertSame([], $response->getData()['users']);
+	}
+
 	public function testGetSshKeys(): void {
 		$this->rsa
 			->expects($this->once())