diff --git a/internal/auth0/connection/expand.go b/internal/auth0/connection/expand.go
index e1077697c..cd94b52b9 100644
--- a/internal/auth0/connection/expand.go
+++ b/internal/auth0/connection/expand.go
@@ -781,6 +781,11 @@ func expandConnectionOptionsScopes(data *schema.ResourceData, options scoper) {
 	}
 }
 
+// passThroughUnconfigurableConnectionOptions ensures that read-only connection options
+// set by external services do not get removed from the connection resource.
+//
+// This is necessary because the "/api/v2/connections/{id}" endpoint does not follow usual
+// PATCH behavior, the 'options' property is entirely replaced by the payload object.
 func passThroughUnconfigurableConnectionOptions(
 	ctx context.Context,
 	api *management.Management,
@@ -817,6 +822,10 @@ func passThroughUnconfigurableConnectionOptionsAD(
 		return err
 	}
 
+	if existingConnection.Options == nil {
+		return nil
+	}
+
 	existingOptions := existingConnection.Options.(*management.ConnectionOptionsAD)
 
 	expandedOptions := connection.Options.(*management.ConnectionOptionsAD)
@@ -842,6 +851,10 @@ func passThroughUnconfigurableConnectionOptionsAzureAD(
 		return err
 	}
 
+	if existingConnection.Options == nil {
+		return nil
+	}
+
 	existingOptions := existingConnection.Options.(*management.ConnectionOptionsAzureAD)
 
 	expandedOptions := connection.Options.(*management.ConnectionOptionsAzureAD)
@@ -867,6 +880,10 @@ func passThroughUnconfigurableConnectionOptionsADFS(
 		return err
 	}
 
+	if existingConnection.Options == nil {
+		return nil
+	}
+
 	existingOptions := existingConnection.Options.(*management.ConnectionOptionsADFS)
 
 	expandedOptions := connection.Options.(*management.ConnectionOptionsADFS)
@@ -891,6 +908,10 @@ func passThroughUnconfigurableConnectionOptionsSAML(
 		return err
 	}
 
+	if existingConnection.Options == nil {
+		return nil
+	}
+
 	existingOptions := existingConnection.Options.(*management.ConnectionOptionsSAML)
 
 	expandedOptions := connection.Options.(*management.ConnectionOptionsSAML)
@@ -919,6 +940,10 @@ func passThroughUnconfigurableConnectionOptionsPingFederate(
 		return err
 	}
 
+	if existingConnection.Options == nil {
+		return nil
+	}
+
 	existingOptions := existingConnection.Options.(*management.ConnectionOptionsPingFederate)
 
 	expandedOptions := connection.Options.(*management.ConnectionOptionsPingFederate)