diff --git a/src/main/java/de/aservo/confapi/crowd/service/ApplicationsServiceImpl.java b/src/main/java/de/aservo/confapi/crowd/service/ApplicationsServiceImpl.java
index 0fda00f..dc50efd 100644
--- a/src/main/java/de/aservo/confapi/crowd/service/ApplicationsServiceImpl.java
+++ b/src/main/java/de/aservo/confapi/crowd/service/ApplicationsServiceImpl.java
@@ -269,9 +269,16 @@ ApplicationDirectoryMapping toApplicationDirectoryMapping(
         applicationDirectoryMappingBuilder.setDirectory(findDirectory(applicationBeanDirectoryMapping.getDirectoryName(), directoryManager));
 
         if (applicationBeanDirectoryMapping.getAuthenticationAllowAll() != null) {
-            applicationDirectoryMappingBuilder.setAllowAllToAuthenticate(applicationBeanDirectoryMapping.getAuthenticationAllowAll());
+            final boolean authenticationAllowAll = applicationBeanDirectoryMapping.getAuthenticationAllowAll();
+            applicationDirectoryMappingBuilder.setAllowAllToAuthenticate(authenticationAllowAll);
+
+            // don't require to set authentication groups if all users are allowed to authenticate
+            if (authenticationAllowAll) {
+                applicationDirectoryMappingBuilder.setAuthorisedGroupNames(Collections.emptySet());
+            }
         }
 
+        // even if all users are allowed to authenticate, it does not hurt to set (ignored) authentication groups if they got passed
         if (applicationBeanDirectoryMapping.getAuthenticationGroups() != null) {
             applicationDirectoryMappingBuilder.setAuthorisedGroupNames(new HashSet<>(applicationBeanDirectoryMapping.getAuthenticationGroups()));
         }