diff --git a/docker-jans-persistence-loader/README.md b/docker-jans-persistence-loader/README.md
index e0a1fd3ebfc..88a32bddfbb 100644
--- a/docker-jans-persistence-loader/README.md
+++ b/docker-jans-persistence-loader/README.md
@@ -54,6 +54,7 @@ The following environment variables are supported by the container:
 - `CN_PERSISTENCE_TYPE`: Persistence backend being used (one of `ldap`, `couchbase`, or `hybrid`; default to `ldap`).
 - `CN_HYBRID_MAPPING`: Specify data mapping for each persistence (default to `"{}"`). Note this environment only takes effect when `CN_PERSISTENCE_TYPE` is set to `hybrid`. See [hybrid mapping](#hybrid-mapping) section for details.
 - `CN_PERSISTENCE_SKIP_INITIALIZED`: skip initialization if backend already initialized (default to `false`).
+- `CN_PERSISTENCE_UPDATE_AUTH_DYNAMIC_CONFIG`: Whether to allow automatic updates of `jans-auth` configuration (default to `true`).
 - `CN_LDAP_URL`: Address and port of LDAP server (default to `localhost:1636`).
 - `CN_LDAP_USE_SSL`: Whether to use SSL connection to LDAP server (default to `true`).
 - `CN_COUCHBASE_URL`: Address of Couchbase server (default to `localhost`).
diff --git a/docker-jans-persistence-loader/scripts/upgrade.py b/docker-jans-persistence-loader/scripts/upgrade.py
index f4f8e2a0277..bfce4ad37c2 100644
--- a/docker-jans-persistence-loader/scripts/upgrade.py
+++ b/docker-jans-persistence-loader/scripts/upgrade.py
@@ -177,16 +177,16 @@ def _transform_auth_dynamic_config(conf):
         lambda x: isinstance(x, dict), conf["authorizationRequestCustomAllowedParameters"]
     ))
     if not params_with_dict:
-        conf["authorizationRequestCustomAllowedParameters"] = list(map(
-            lambda p: {"paramName": p[0], "returnInResponse": p[1]},
-            [
+        conf["authorizationRequestCustomAllowedParameters"] = [
+            {"paramName": p[0], "returnInResponse": p[1]}
+            for p in [
                 ("customParam1", False),
                 ("customParam2", False),
                 ("customParam3", False),
                 ("customParam4", True),
                 ("customParam5", True),
             ]
-        ))
+        ]
         should_update = True
 
     if "useHighestLevelScriptIfAcrScriptNotFound" not in conf:
@@ -457,7 +457,9 @@ def invoke(self):
         if hasattr(self.backend, "update_misc"):
             self.backend.update_misc()
 
-        self.update_auth_dynamic_config()
+        if as_boolean(os.environ.get("CN_PERSISTENCE_UPDATE_AUTH_DYNAMIC_CONFIG", "true")):
+            self.update_auth_dynamic_config()
+
         self.update_auth_errors_config()
         self.update_auth_static_config()
         self.update_attributes_entries()