diff --git a/tests/test_webfinger.py b/tests/test_webfinger.py
index e02fa9e..9e9e37d 100644
--- a/tests/test_webfinger.py
+++ b/tests/test_webfinger.py
@@ -8,7 +8,7 @@ from oauth_dropins.webutil import util
 from oauth_dropins.webutil.testutil import requests_response
 
 # import first so that Fake is defined before URL routes are registered
-from .testutil import Fake, TestCase
+from .testutil import ExplicitEnableFake, Fake, TestCase
 
 from models import PROTOCOLS
 import protocol
@@ -296,6 +296,17 @@ class WebfingerTest(TestCase):
         got = self.client.get(f'/.well-known/webfinger?resource=acct:user.com@user.com')
         self.assertEqual(404, got.status_code)
 
+    def test_protocol_not_enabled(self):
+        self.make_user('eefake:user', cls=ExplicitEnableFake)
+        got = self.client.get(f'/.well-known/webfinger?resource=acct:eefake:user@eefake.brid.gy')
+        self.assertEqual(404, got.status_code)
+
+    def test_protocol_enabled(self):
+        self.make_user('eefake:user', cls=ExplicitEnableFake,
+                       enabled_protocols=['activitypub'])
+        got = self.client.get(f'/.well-known/webfinger?resource=acct:eefake:user@eefake.brid.gy')
+        self.assertEqual(200, got.status_code)
+
     def test_bad_id(self):
         got = self.client.get(f'/.well-known/webfinger?resource=acct:nope@fa.brid.gy')
         self.assertEqual(400, got.status_code, got.get_data(as_text=True))
diff --git a/webfinger.py b/webfinger.py
index 30b242b..04958f0 100644
--- a/webfinger.py
+++ b/webfinger.py
@@ -90,7 +90,7 @@ class Webfinger(flask_util.XrdOrJrd):
             if user and not user.direct:
                 error(f"{user.key} hasn't signed up yet", status=404)
 
-        if not user:
+        if not user or not user.is_enabled_to(activitypub.ActivityPub, user=user):
             error(f'No {cls.LABEL} user found for {id}', status=404)
 
         ap_handle = user.handle_as('activitypub')