diff --git a/Makefile b/Makefile
index ac997ffbdd..a607d23bfe 100644
--- a/Makefile
+++ b/Makefile
@@ -55,6 +55,8 @@ ifdef CABAL_DIR
 else
 	rm -rf ~/.cabal/store
 endif
+	rm -rf ./dist-newbuild ./.env
+	direnv reload
 
 .PHONY: clean
 clean:
@@ -65,8 +67,10 @@ clean:
 .PHONY: clean-hint
 clean-hint:
 	@echo -e "\n\n\n>>> PSA: if you get errors that are hard to explain,"
-	@echo -e ">>> try 'make full-clean' and run your command again."
-	@echo -e ">>> see https://github.com/wireapp/wire-server/blob/develop/docs/developer/building.md#linker-errors-while-compiling\n\n\n"
+	@echo -e ">>> try 'git submodule update --init --recursive' and 'make full-clean' and run your command again."
+	@echo -e ">>> see https://github.com/wireapp/wire-server/blob/develop/docs/developer/building.md#linker-errors-while-compiling"
+	@echo -e ">>> to never have to remember submodules again, try `git config --global submodule.recurse true`"
+	@echo -e "\n\n\n"
 
 .PHONY: cabal.project.local
 cabal.project.local:
diff --git a/services/spar/src/Spar/App.hs b/services/spar/src/Spar/App.hs
index 3ff0204a55..7edc345b28 100644
--- a/services/spar/src/Spar/App.hs
+++ b/services/spar/src/Spar/App.hs
@@ -25,7 +25,6 @@ module Spar.App
     verdictHandler,
     getUserByUrefUnsafe,
     getUserIdByScimExternalId,
-    validateEmailIfExists,
     validateEmail,
     errorPage,
     deleteTeam,
@@ -196,7 +195,6 @@ autoprovisionSamlUser idp buid suid = do
   guardReplacedIdP
   guardScimTokens
   createSamlUserWithId (idp ^. idpExtraInfo . wiTeam) buid suid
-  validateEmailIfExists buid suid
   where
     -- Replaced IdPs are not allowed to create new wire accounts.
     guardReplacedIdP :: Sem r ()
@@ -393,6 +391,7 @@ verdictHandlerResultCore idp = \case
             Nothing -> do
               buid <- Id <$> Random.uuid
               autoprovisionSamlUser idp buid uref
+              validateEmailIfExists buid uref
               pure buid
 
     Logger.log Logger.Debug ("granting sso login for " <> show uid)
diff --git a/services/spar/src/Spar/Scim/User.hs b/services/spar/src/Spar/Scim/User.hs
index 4b9c97b7ac..90624de177 100644
--- a/services/spar/src/Spar/Scim/User.hs
+++ b/services/spar/src/Spar/Scim/User.hs
@@ -64,7 +64,8 @@ import Network.URI (URI, parseURI)
 import Polysemy
 import Polysemy.Input
 import qualified SAML2.WebSSO as SAML
-import Spar.App (getUserByUrefUnsafe, getUserIdByScimExternalId, validateEmail, validateEmailIfExists)
+import Spar.App (getUserByUrefUnsafe, getUserIdByScimExternalId)
+import qualified Spar.App
 import qualified Spar.Intra.BrigApp as Brig
 import Spar.Scim.Auth ()
 import Spar.Scim.Types (normalizeLikeStored)
@@ -481,11 +482,7 @@ createValidScimUser tokeninfo@ScimTokenInfo {stiTeam} vsu@(ST.ValidScimUser veid
       createValidScimUserSpar stiTeam buid storedUser veid
 
       -- If applicable, trigger email validation procedure on brig.
-      lift $
-        ST.runValidExternalIdEither
-          (validateEmailIfExists buid)
-          (\_ -> pure () {- nothing to do; user is sent an invitation that validates the address implicitly -})
-          veid
+      lift $ Spar.App.validateEmail (Just stiTeam) buid `mapM_` veidEmail veid
 
       -- TODO: suspension via scim is brittle, and may leave active users behind: if we don't
       -- reach the following line due to a crash, the user will be active.