diff --git a/connections/jpa-liquibase/src/main/resources/META-INF/jpa-changelog-1.7.0.xml b/connections/jpa-liquibase/src/main/resources/META-INF/jpa-changelog-1.7.0.xml
index e705989c71d..7165348cadb 100755
--- a/connections/jpa-liquibase/src/main/resources/META-INF/jpa-changelog-1.7.0.xml
+++ b/connections/jpa-liquibase/src/main/resources/META-INF/jpa-changelog-1.7.0.xml
@@ -48,7 +48,7 @@
 
         <addColumn tableName="IDENTITY_PROVIDER">
             <column name="FIRST_BROKER_LOGIN_FLOW_ID" type="VARCHAR(36)">
-                <constraints nullable="false"/>
+                <constraints nullable="true"/>
             </column>
         </addColumn>
 
@@ -56,6 +56,7 @@
             <column name="ACCESS_TOKEN_LIFE_IMPLICIT" type="INT" defaultValueNumeric="0"/>
         </addColumn>
 
+        <dropDefaultValue tableName="IDENTITY_PROVIDER" columnName="UPDATE_PROFILE_FIRST_LGN_MD" />
         <dropColumn tableName="IDENTITY_PROVIDER" columnName="UPDATE_PROFILE_FIRST_LGN_MD"/>
 
         <addPrimaryKey columnNames="ID" constraintName="CONSTRAINT_GROUP" tableName="KEYCLOAK_GROUP"/>
diff --git a/examples/basic-auth/basicauthrealm.json b/examples/basic-auth/basicauthrealm.json
index 8f19658432f..13af84fe761 100644
--- a/examples/basic-auth/basicauthrealm.json
+++ b/examples/basic-auth/basicauthrealm.json
@@ -43,6 +43,7 @@
     "clients": [
         {
             "clientId": "basic-auth-service",
+            "standardFlowEnabled": false,
             "directAccessGrantsEnabled": true,
             "enabled": true,
             "adminUrl": "/basicauth",
diff --git a/examples/demo-template/testrealm.json b/examples/demo-template/testrealm.json
index 2988ea6d83c..2542f82d243 100755
--- a/examples/demo-template/testrealm.json
+++ b/examples/demo-template/testrealm.json
@@ -178,6 +178,7 @@
             "clientId": "admin-client",
             "enabled": true,
             "publicClient": true,
+            "standardFlowEnabled": false,
             "directAccessGrantsEnabled": true
         },
         {
diff --git a/examples/fuse/testrealm.json b/examples/fuse/testrealm.json
index 6b3dda9141a..de93f7d5975 100644
--- a/examples/fuse/testrealm.json
+++ b/examples/fuse/testrealm.json
@@ -182,6 +182,7 @@
             "clientId": "ssh-jmx-admin-client",
             "enabled": true,
             "publicClient": false,
+            "standardFlowEnabled": false,
             "directAccessGrantsEnabled": true,
             "secret": "password"
         }
diff --git a/model/api/src/main/java/org/keycloak/migration/migrators/MigrateTo1_7_0.java b/model/api/src/main/java/org/keycloak/migration/migrators/MigrateTo1_7_0.java
index 5fa941d9e52..2c5710d6156 100644
--- a/model/api/src/main/java/org/keycloak/migration/migrators/MigrateTo1_7_0.java
+++ b/model/api/src/main/java/org/keycloak/migration/migrators/MigrateTo1_7_0.java
@@ -4,9 +4,12 @@ import java.util.List;
 
 import org.keycloak.migration.MigrationProvider;
 import org.keycloak.migration.ModelVersion;
+import org.keycloak.models.AuthenticationFlowModel;
 import org.keycloak.models.Constants;
+import org.keycloak.models.IdentityProviderModel;
 import org.keycloak.models.KeycloakSession;
 import org.keycloak.models.RealmModel;
+import org.keycloak.models.utils.DefaultAuthenticationFlows;
 
 /**
  * @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
@@ -18,10 +21,24 @@ public class MigrateTo1_7_0 {
     public void migrate(KeycloakSession session) {
         List<RealmModel> realms = session.realms().getRealms();
         for (RealmModel realm : realms) {
+            // Set default accessToken timeout for implicit flow
             realm.setAccessTokenLifespanForImplicitFlow(Constants.DEFAULT_ACCESS_TOKEN_LIFESPAN_FOR_IMPLICIT_FLOW_TIMEOUT);
 
+            // Add 'admin-cli' builtin client
             MigrationProvider migrationProvider = session.getProvider(MigrationProvider.class);
             migrationProvider.setupAdminCli(realm);
+
+            // add firstBrokerLogin flow and set it to all identityProviders
+            DefaultAuthenticationFlows.migrateFlows(realm);
+            AuthenticationFlowModel firstBrokerLoginFlow = realm.getFlowByAlias(DefaultAuthenticationFlows.FIRST_BROKER_LOGIN_FLOW);
+
+            List<IdentityProviderModel> identityProviders = realm.getIdentityProviders();
+            for (IdentityProviderModel identityProvider : identityProviders) {
+                if (identityProvider.getFirstBrokerLoginFlowId() == null) {
+                    identityProvider.setFirstBrokerLoginFlowId(firstBrokerLoginFlow.getId());
+                    realm.updateIdentityProvider(identityProvider);
+                }
+            }
         }
     }
 }
diff --git a/model/api/src/main/java/org/keycloak/models/utils/RepresentationToModel.java b/model/api/src/main/java/org/keycloak/models/utils/RepresentationToModel.java
index 24db3a6901c..dfa2e46190e 100755
--- a/model/api/src/main/java/org/keycloak/models/utils/RepresentationToModel.java
+++ b/model/api/src/main/java/org/keycloak/models/utils/RepresentationToModel.java
@@ -460,6 +460,10 @@ public class RepresentationToModel {
             newRealm.setClientAuthenticationFlow(newRealm.getFlowByAlias(rep.getClientAuthenticationFlow()));
         }
 
+        // Added in 1.7
+        if (newRealm.getFlowByAlias(DefaultAuthenticationFlows.FIRST_BROKER_LOGIN_FLOW) == null) {
+            DefaultAuthenticationFlows.firstBrokerLoginFlow(newRealm, true);
+        }
     }
 
     private static void convertDeprecatedSocialProviders(RealmRepresentation rep) {
diff --git a/services/src/main/java/org/keycloak/services/managers/RealmManager.java b/services/src/main/java/org/keycloak/services/managers/RealmManager.java
index 3c339d894e8..8ab0cfc1c86 100755
--- a/services/src/main/java/org/keycloak/services/managers/RealmManager.java
+++ b/services/src/main/java/org/keycloak/services/managers/RealmManager.java
@@ -400,7 +400,16 @@ public class RealmManager implements RealmImporter {
 
         if (!hasBrokerClient(rep)) setupBrokerService(realm);
         if (!hasAdminConsoleClient(rep)) setupAdminConsole(realm);
-        if (!hasAdminCliClient(rep)) setupAdminCli(realm);
+
+        boolean postponeAdminCliSetup = false;
+        if (!hasAdminCliClient(rep)) {
+            if (hasRealmAdminManagementClient(rep)) {
+                postponeAdminCliSetup = true;
+            } else {
+                setupAdminCli(realm);
+            }
+        }
+
         if (!hasRealmRole(rep, Constants.OFFLINE_ACCESS_ROLE)) setupOfflineTokens(realm);
 
         RepresentationToModel.importRealm(session, rep, realm);
@@ -415,6 +424,10 @@ public class RealmManager implements RealmImporter {
             setupImpersonationService(realm);
         }
 
+        if (postponeAdminCliSetup) {
+            setupAdminCli(realm);
+        }
+
         setupAuthenticationFlows(realm);
         setupRequiredActions(realm);
 
diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/AbstractClientRegistrationTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/AbstractClientRegistrationTest.java
index 627865353fb..37b53c27874 100644
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/AbstractClientRegistrationTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/AbstractClientRegistrationTest.java
@@ -104,7 +104,7 @@ public abstract class AbstractClientRegistrationTest extends AbstractKeycloakTes
     }
 
     private String getToken(String username, String password) {
-        return oauthClient.getToken(REALM_NAME, "security-admin-console", null, username, password).getToken();
+        return oauthClient.getToken(REALM_NAME, Constants.ADMIN_CLI_CLIENT_ID, null, username, password).getToken();
     }
 
 }