diff --git a/app/controllers/admin/users_controller.rb b/app/controllers/admin/users_controller.rb
index f1f85fe82a2..36dab7149f3 100644
--- a/app/controllers/admin/users_controller.rb
+++ b/app/controllers/admin/users_controller.rb
@@ -211,6 +211,8 @@ class Admin::UsersController < Admin::AdminController
 
   def activate
     guardian.ensure_can_activate!(@user)
+    # ensure there is an active email token
+    @user.email_tokens.create(email: @user.email) unless @user.email_tokens.active.exists?
     @user.activate
     StaffActionLogger.new(current_user).log_user_activate(@user, I18n.t('user.activated_by_staff'))
     render json: success_json
diff --git a/spec/controllers/admin/users_controller_spec.rb b/spec/controllers/admin/users_controller_spec.rb
index 9be77f2cbda..f5dae281c96 100644
--- a/spec/controllers/admin/users_controller_spec.rb
+++ b/spec/controllers/admin/users_controller_spec.rb
@@ -416,6 +416,19 @@ describe Admin::UsersController do
         json = ::JSON.parse(response.body)
         expect(json['success']).to eq("OK")
       end
+
+      it "should confirm email even when the tokens are expired" do
+        @reg_user.email_tokens.update_all(confirmed: false, expired: true)
+
+        @reg_user.reload
+        expect(@reg_user.email_confirmed?).to eq(false)
+
+        xhr :put, :activate, user_id: @reg_user.id
+        expect(response).to be_success
+
+        @reg_user.reload
+        expect(@reg_user.email_confirmed?).to eq(true)
+      end
     end
 
     context 'log_out' do