diff --git a/src/common/dpp.c b/src/common/dpp.c
index 12a5a983b..9cdd926ff 100644
--- a/src/common/dpp.c
+++ b/src/common/dpp.c
@@ -4517,6 +4517,10 @@ static int dpp_configuration_parse_helper(struct dpp_authentication *auth,
 		conf = conf_ap;
 	}
 
+	pos = os_strstr(cmd, " conf=configurator");
+	if (pos)
+		auth->provision_configurator = 1;
+
 	if (!conf)
 		return 0;
 
@@ -5605,6 +5609,12 @@ static struct wpabuf * dpp_build_enveloped_data(struct dpp_authentication *auth)
 		return NULL;
 	}
 
+	if (!auth->provision_configurator) {
+		wpa_printf(MSG_DEBUG,
+			   "DPP: Configurator provisioning not allowed");
+		return NULL;
+	}
+
 	wpa_printf(MSG_DEBUG, "DPP: Building DPPEnvelopedData");
 
 	hash_len = auth->conf->curve->hash_len;
diff --git a/src/common/dpp.h b/src/common/dpp.h
index c47a9b87c..ad1bcb0fa 100644
--- a/src/common/dpp.h
+++ b/src/common/dpp.h
@@ -254,6 +254,7 @@ struct dpp_authentication {
 	struct dpp_configuration *conf2_ap;
 	struct dpp_configuration *conf_sta;
 	struct dpp_configuration *conf2_sta;
+	int provision_configurator;
 	struct dpp_configurator *conf;
 	struct dpp_config_obj {
 		char *connector; /* received signedConnector */