diff --git a/models/auth/TestOrphanedOAuth2Applications/oauth2_application.yaml b/models/auth/TestOrphanedOAuth2Applications/oauth2_application.yaml
index b188770a30..cccb404ab1 100644
--- a/models/auth/TestOrphanedOAuth2Applications/oauth2_application.yaml
+++ b/models/auth/TestOrphanedOAuth2Applications/oauth2_application.yaml
@@ -23,3 +23,11 @@
   redirect_uris: '["http://127.0.0.1", "https://127.0.0.1"]'
   created_unix: 1712358091
   updated_unix: 1712358091
+-
+  id: 1003
+  uid: 0
+  name: "Global Auth source that should be kept"
+  client_id: "2f3467c1-7b3b-463d-ab04-2ae2b2712826"
+  redirect_uris: '["http://example.com/globalapp", "https://example.com/globalapp"]'
+  created_unix: 1732387292
+  updated_unix: 1732387292
diff --git a/models/auth/oauth2.go b/models/auth/oauth2.go
index 125d64b36f..9a7854408f 100644
--- a/models/auth/oauth2.go
+++ b/models/auth/oauth2.go
@@ -657,6 +657,7 @@ func CountOrphanedOAuth2Applications(ctx context.Context) (int64, error) {
 		Table("`oauth2_application`").
 		Join("LEFT", "`user`", "`oauth2_application`.`uid` = `user`.`id`").
 		Where(builder.IsNull{"`user`.id"}).
+		Where(builder.Neq{"uid": 0}). // exclude instance-wide admin applications
 		Where(builder.NotIn("`oauth2_application`.`client_id`", BuiltinApplicationsClientIDs())).
 		Select("COUNT(`oauth2_application`.`id`)").
 		Count()
@@ -668,6 +669,7 @@ func DeleteOrphanedOAuth2Applications(ctx context.Context) (int64, error) {
 		From("`oauth2_application`").
 		Join("LEFT", "`user`", "`oauth2_application`.`uid` = `user`.`id`").
 		Where(builder.IsNull{"`user`.id"}).
+		Where(builder.Neq{"uid": 0}). // exclude instance-wide admin applications
 		Where(builder.NotIn("`oauth2_application`.`client_id`", BuiltinApplicationsClientIDs()))
 
 	b := builder.Delete(builder.In("id", subQuery)).From("`oauth2_application`")
diff --git a/models/auth/oauth2_test.go b/models/auth/oauth2_test.go
index 94b506ed48..9b562c8648 100644
--- a/models/auth/oauth2_test.go
+++ b/models/auth/oauth2_test.go
@@ -296,4 +296,5 @@ func TestOrphanedOAuth2Applications(t *testing.T) {
 	require.NoError(t, err)
 	assert.EqualValues(t, 0, count)
 	unittest.AssertExistsIf(t, false, &auth_model.OAuth2Application{ID: 1002})
+	unittest.AssertExistsIf(t, true, &auth_model.OAuth2Application{ID: 1003})
 }