diff --git a/ansible/playbooks/update-enrollment-flow.yml b/ansible/playbooks/update-enrollment-flow.yml
new file mode 100644
index 0000000..dda3ef8
--- /dev/null
+++ b/ansible/playbooks/update-enrollment-flow.yml
@@ -0,0 +1,61 @@
+---
+# Update enrollment flow blueprint on running Authentik instance
+- name: Update enrollment flow blueprint
+  hosts: all
+  gather_facts: no
+  become: yes
+
+  vars:
+    authentik_api_token: "ak_DtA2LG1Z9shl-tw9r0cs34B1G9l8Lpz76GxLf-4OBiUWbiHbAVJ04GYLcZ30"
+    client_domain: "dev.vrije.cloud"
+
+  tasks:
+
+    - name: Create blueprints directory
+      file:
+        path: /opt/config/authentik/blueprints
+        state: directory
+        mode: '0755'
+
+    - name: Copy enrollment flow blueprint
+      copy:
+        src: ../roles/authentik/files/enrollment-flow.yaml
+        dest: /opt/config/authentik/blueprints/enrollment-flow.yaml
+        mode: '0644'
+      register: blueprint_copied
+
+    - name: Copy blueprint into authentik-worker container
+      shell: |
+        docker cp /opt/config/authentik/blueprints/enrollment-flow.yaml authentik-worker:/blueprints/enrollment-flow.yaml
+      when: blueprint_copied.changed
+
+    - name: Copy blueprint into authentik-server container
+      shell: |
+        docker cp /opt/config/authentik/blueprints/enrollment-flow.yaml authentik-server:/blueprints/enrollment-flow.yaml
+      when: blueprint_copied.changed
+
+    - name: Restart authentik-worker to force blueprint discovery
+      shell: docker restart authentik-worker
+      when: blueprint_copied.changed
+
+    - name: Wait for blueprint to be applied
+      shell: |
+        sleep 30
+        docker exec authentik-server curl -sf -H 'Authorization: Bearer {{ authentik_api_token }}' \
+          'http://localhost:9000/api/v3/flows/instances/?slug=default-enrollment-flow'
+      register: flow_check
+      retries: 6
+      delay: 10
+      until: flow_check.rc == 0
+      no_log: true
+
+    - name: Display success message
+      debug:
+        msg: |
+          ✓ Enrollment flow blueprint updated successfully!
+
+          The invitation-only enrollment flow is now set as the default.
+          When you create invitations in Authentik, they will automatically
+          use the correct flow.
+
+          Flow URL: https://auth.{{ client_domain }}/if/flow/default-enrollment-flow/