diff --git a/go.mod b/go.mod
index d9d7d093ea..42ece2a464 100644
--- a/go.mod
+++ b/go.mod
@@ -13,7 +13,7 @@ require (
 	github.com/blevesearch/bleve/v2 v2.3.7
 	github.com/coreos/go-oidc/v3 v3.4.0
 	github.com/cs3org/go-cs3apis v0.0.0-20221012090518-ef2996678965
-	github.com/cs3org/reva/v2 v2.12.1-0.20230404090709-bb973fae26ae
+	github.com/cs3org/reva/v2 v2.12.1-0.20230417084429-b3d96f9db80c
 	github.com/disintegration/imaging v1.6.2
 	github.com/dutchcoders/go-clamd v0.0.0-20170520113014-b970184f4d9e
 	github.com/egirna/icap-client v0.1.1
diff --git a/go.sum b/go.sum
index 1f6c8b0238..6def545b55 100644
--- a/go.sum
+++ b/go.sum
@@ -629,6 +629,8 @@ github.com/crewjam/saml v0.4.13 h1:TYHggH/hwP7eArqiXSJUvtOPNzQDyQ7vwmwEqlFWhMc=
 github.com/crewjam/saml v0.4.13/go.mod h1:igEejV+fihTIlHXYP8zOec3V5A8y3lws5bQBFsTm4gA=
 github.com/cs3org/reva/v2 v2.12.1-0.20230404090709-bb973fae26ae h1:APfYubzIYqCTXtmX6cAm4c8wBYS3R/cZwomX8IlXLaI=
 github.com/cs3org/reva/v2 v2.12.1-0.20230404090709-bb973fae26ae/go.mod h1:FNAYs5H3xs8v0OFmNgZtiMAzIMXd/6TJmO0uZuNn8pQ=
+github.com/cs3org/reva/v2 v2.12.1-0.20230417084429-b3d96f9db80c h1:H6OjKTaRowZfAU/Hwvv4W0pLFFH/KNbHaNVNw3ANoHU=
+github.com/cs3org/reva/v2 v2.12.1-0.20230417084429-b3d96f9db80c/go.mod h1:FNAYs5H3xs8v0OFmNgZtiMAzIMXd/6TJmO0uZuNn8pQ=
 github.com/cubewise-code/go-mime v0.0.0-20200519001935-8c5762b177d8 h1:Z9lwXumT5ACSmJ7WGnFl+OMLLjpz5uR2fyz7dC255FI=
 github.com/cubewise-code/go-mime v0.0.0-20200519001935-8c5762b177d8/go.mod h1:4abs/jPXcmJzYoYGF91JF9Uq9s/KL5n1jvFDix8KcqY=
 github.com/cyberdelia/templates v0.0.0-20141128023046-ca7fffd4298c/go.mod h1:GyV+0YP4qX0UQ7r2MoYZ+AvYDp12OF5yg4q8rGnyNh4=
diff --git a/services/frontend/README.md b/services/frontend/README.md
index d8597106ed..55b4bace40 100644
--- a/services/frontend/README.md
+++ b/services/frontend/README.md
@@ -1,6 +1,6 @@
 # Frontend
 
-The frontend service translates various owncloud related HTTP APIs to CS3 requests. 
+The frontend service translates various owncloud related HTTP APIs to CS3 requests.
 
 ## Endpoints Overview
 
@@ -25,3 +25,7 @@ The ocs endpoint, by default `/ocs`, implements the ownCloud 10 Open Collaborati
 ## Scalability
 
 While the frontend service does not persist any data it does cache `Stat()` responses and user information. Therefore, multiple instances of this service can be spawned in a bigger deployment like when using container orchestration with Kubernetes, when configuring `FRONTEND_OCS_RESOURCE_INFO_CACHE_TYPE=redis` and the related config options.
+
+## Define Read-Only Attributes
+
+A lot of user management is made via the standardized libregraph API. Depending on how the system is configured, there might be some user attributes that an ocis instance admin can't change because of properties coming from an external LDAP server, or similar. This can be the case when the ocis admin is not the LDAP admin. To ease life for admins, there are hints as capabilites telling the frontend which attributes are read-only to enable a different optical representation like being grayed out. To configure these hints, use the environment variable `FRONTEND_READONLY_USER_ATTRIBUTES`, which takes a comma separated list of attributes.
diff --git a/services/frontend/pkg/config/config.go b/services/frontend/pkg/config/config.go
index a039dad253..445ddc31c2 100644
--- a/services/frontend/pkg/config/config.go
+++ b/services/frontend/pkg/config/config.go
@@ -39,11 +39,12 @@ type Config struct {
 
 	PublicURL string `yaml:"public_url" env:"OCIS_URL;FRONTEND_PUBLIC_URL" desc:"The public facing URL of the oCIS frontend."`
 
-	AppHandler  AppHandler  `yaml:"app_handler"`
-	Archiver    Archiver    `yaml:"archiver"`
-	DataGateway DataGateway `yaml:"data_gateway"`
-	OCS         OCS         `yaml:"ocs"`
-	Checksums   Checksums   `yaml:"checksums"`
+	AppHandler             AppHandler  `yaml:"app_handler"`
+	Archiver               Archiver    `yaml:"archiver"`
+	DataGateway            DataGateway `yaml:"data_gateway"`
+	OCS                    OCS         `yaml:"ocs"`
+	Checksums              Checksums   `yaml:"checksums"`
+	ReadOnlyUserAttributes []string    `yaml:"read_only_user_attributes" env:"FRONTEND_READONLY_USER_ATTRIBUTES" desc:"Comma separated list of user attributes to indicate as read-only."`
 
 	Middleware Middleware `yaml:"middleware"`
 
diff --git a/services/frontend/pkg/revaconfig/config.go b/services/frontend/pkg/revaconfig/config.go
index 0b415ddec3..00456fa2ce 100644
--- a/services/frontend/pkg/revaconfig/config.go
+++ b/services/frontend/pkg/revaconfig/config.go
@@ -63,6 +63,11 @@ func FrontendConfigFromStruct(cfg *config.Config) (map[string]interface{}, error
 		}
 	}
 
+	readOnlyUserAttributes := []string{}
+	if cfg.ReadOnlyUserAttributes != nil {
+		readOnlyUserAttributes = cfg.ReadOnlyUserAttributes
+	}
+
 	return map[string]interface{}{
 		"core": map[string]interface{}{
 			"tracing_enabled":      cfg.Tracing.Enabled,
@@ -198,7 +203,8 @@ func FrontendConfigFromStruct(cfg *config.Config) (map[string]interface{}, error
 								"support_url_signing": true,
 							},
 							"graph": map[string]interface{}{
-								"personal_data_export": true,
+								"personal_data_export":      true,
+								"read_only_user_attributes": readOnlyUserAttributes,
 							},
 							"checksums": map[string]interface{}{
 								"supported_types":       cfg.Checksums.SupportedTypes,