diff --git a/consultation_analyser/consultations/views/sessions.py b/consultation_analyser/consultations/views/sessions.py
index 824ad988..2461e5a1 100644
--- a/consultation_analyser/consultations/views/sessions.py
+++ b/consultation_analyser/consultations/views/sessions.py
@@ -55,4 +55,5 @@ def destroy(request: HttpRequest):
 
 @method_decorator(login_not_required, name="dispatch")
 class MagicLinkView(magic_link.views.MagicLinkView):
+    # Explicitly declared class so can use decorator.
     pass
diff --git a/consultation_analyser/middleware.py b/consultation_analyser/middleware.py
index c2949264..fb1d7db1 100644
--- a/consultation_analyser/middleware.py
+++ b/consultation_analyser/middleware.py
@@ -11,12 +11,10 @@ def __init__(self, get_response):
     def __call__(self, request):
         response = self.get_response(request)
         if request.path.startswith("/support/"):
-            if not request.user.is_staff:
+            # Must already be logged in from login required middleware.
+            # Sign-out is excepted as we don't want to 404 on sign-out.
+            if (not request.user.is_staff) and (not request.path.startswith("/support/sign-out/")):
                 raise Http404
-            # if not request.user.is_authenticated:
-            #     return HttpResponseNotFound()
-            # elif not request.user.is_staff:
-            #     return HttpResponseNotFound()
         return response
 
 
diff --git a/tests/integration/test_logging_in_to_support.py b/tests/integration/test_logging_in_to_support.py
index 1673d764..e3209784 100644
--- a/tests/integration/test_logging_in_to_support.py
+++ b/tests/integration/test_logging_in_to_support.py
@@ -8,7 +8,7 @@ def test_logging_in_to_support(client):
     # given I am a logged in admin user
     user = UserFactory(
         email="email@example.com",
-        password="admin",  # pragma: allowlist secret
+        # password="admin",  # pragma: allowlist secret
         is_staff=True,
     )
     client.force_login(user)