diff --git a/rpc/migration/oidc_to_email.go b/rpc/migration/oidc_to_email.go
index d7ceac2d..3b406159 100644
--- a/rpc/migration/oidc_to_email.go
+++ b/rpc/migration/oidc_to_email.go
@@ -83,6 +83,10 @@ func (m *OIDCToEmail) OnRegisterSession(ctx context.Context, originalAccount *da
 }
 
 func (m *OIDCToEmail) NextBatch(ctx context.Context, projectID uint64, page data.Page) ([]string, data.Page, error) {
+	if !slices.Contains(m.config.Projects, projectID) {
+		return nil, data.Page{}, fmt.Errorf("project id does not match")
+	}
+
 	items := make([]string, 0, page.Limit)
 	for {
 		accounts, page, err := m.accounts.ListByProjectAndIdentity(ctx, page, projectID, proto.IdentityType_OIDC, m.config.IssuerPrefix)
@@ -113,6 +117,10 @@ func (m *OIDCToEmail) NextBatch(ctx context.Context, projectID uint64, page data
 }
 
 func (m *OIDCToEmail) ProcessItems(ctx context.Context, tenant *proto.TenantData, items []string) (*Result, error) {
+	if !slices.Contains(m.config.Projects, tenant.ProjectID) {
+		return nil, fmt.Errorf("project id does not match")
+	}
+
 	if len(items) > 100 {
 		return nil, fmt.Errorf("can only process 100 items at a time")
 	}
diff --git a/rpc/migrations_test.go b/rpc/migrations_test.go
index 263e69c2..738cfe73 100644
--- a/rpc/migrations_test.go
+++ b/rpc/migrations_test.go
@@ -249,10 +249,12 @@ func TestMigrationEmail(t *testing.T) {
 		issuer, tok, closeJWKS := issueAccessTokenAndRunJwksServer(t, tokBuilderFn)
 		defer closeJWKS()
 
+		projectID := currentProjectID.Load() + 1
 		svc := initRPC(t, func(cfg *config.Config) {
 			cfg.Migrations.Email = config.EmailMigrationConfig{
 				Enabled:      true,
 				IssuerPrefix: issuer,
+				Projects:     []uint64{projectID},
 			}
 		})
 		tenant, _ := newTenant(t, svc.Enclave, issuer)
@@ -316,6 +318,7 @@ func TestMigrationEmail(t *testing.T) {
 			cfg.Migrations.Email = config.EmailMigrationConfig{
 				Enabled:      true,
 				IssuerPrefix: issuer,
+				Projects:     []uint64{projectID},
 			}
 		})
 		tenant, _ := newTenant(t, svc.Enclave, issuer)