diff --git a/core/context.py b/core/context.py
index 14e02bb..0a7daf1 100644
--- a/core/context.py
+++ b/core/context.py
@@ -1,9 +1,12 @@
+from django.conf import settings
+
 from core.models import Config
 
 
 def config_context(request):
     return {
         "config": Config.system,
+        "allow_migration": settings.SETUP.ALLOW_USER_MIGRATION,
         "top_section": request.path.strip("/").split("/")[0],
         "opengraph_defaults": {
             "og:site_name": Config.system.site_name,
diff --git a/docs/releases/0.10.rst b/docs/releases/0.10.rst
index 646dce3..4dff3cb 100644
--- a/docs/releases/0.10.rst
+++ b/docs/releases/0.10.rst
@@ -27,6 +27,11 @@ Minor changes also include:
 * Profile pages are no longer shown for remote identities; instead, users are
   linked or redirected directly to the remote profile page.
 
+* Inbound migration has been implemented, but is disabled by default as outbound
+  migration is not yet complete, and we don't want to release a system that
+  captures users with no outward path. If you *really* want to enable it, set
+  ``TAKAHE_ALLOW_USER_MIGRATION=true`` in your environment.
+
 If you'd like to help with code, design, or other areas, see
 :doc:`/contributing` to see how to get in touch.
 
diff --git a/takahe/settings.py b/takahe/settings.py
index c0c45c3..f9a422d 100644
--- a/takahe/settings.py
+++ b/takahe/settings.py
@@ -151,6 +151,9 @@ class Settings(BaseSettings):
     STATOR_CONCURRENCY: int = 50
     STATOR_CONCURRENCY_PER_MODEL: int = 15
 
+    # If user migration is allowed (off by default until outbound is done)
+    ALLOW_USER_MIGRATION: bool = False
+
     # Web Push keys
     # Generate via https://web-push-codelab.glitch.me/
     VAPID_PUBLIC_KEY: str | None = None
diff --git a/templates/settings/_menu.html b/templates/settings/_menu.html
index 7e4635e..941133a 100644
--- a/templates/settings/_menu.html
+++ b/templates/settings/_menu.html
@@ -14,10 +14,12 @@
             <i class="fa-solid fa-cloud-arrow-up"></i>
             <span>Import/Export</span>
         </a>
-        <a href="{% url "settings_migrate_in" handle=identity.handle %}" {% if section == "migrate_in" %}class="selected"{% endif %} title="Interface">
-            <i class="fa-solid fa-door-open"></i>
-            <span>Migrate Inbound</span>
-        </a>
+        {% if allow_migration %}
+            <a href="{% url "settings_migrate_in" handle=identity.handle %}" {% if section == "migrate_in" %}class="selected"{% endif %} title="Interface">
+                <i class="fa-solid fa-door-open"></i>
+                <span>Migrate Inbound</span>
+            </a>
+        {% endif %}
         <a href="{% url "settings_tokens" handle=identity.handle %}" {% if section == "tokens" %}class="selected"{% endif %} title="Authorized Apps">
             <i class="fa-solid fa-window-restore"></i>
             <span>Authorized Apps</span>
diff --git a/users/views/settings/migration.py b/users/views/settings/migration.py
index 59976c1..a9ad122 100644
--- a/users/views/settings/migration.py
+++ b/users/views/settings/migration.py
@@ -1,6 +1,8 @@
 from django import forms
+from django.conf import settings
 from django.contrib import messages
 from django.contrib.auth.decorators import login_required
+from django.http import Http404
 from django.shortcuts import redirect
 from django.utils.decorators import method_decorator
 from django.views.generic import FormView
@@ -38,6 +40,8 @@ class MigrateInPage(IdentityViewMixin, FormView):
 
     def get_context_data(self, **kwargs):
         context = super().get_context_data(**kwargs)
+        if not settings.SETUP.ALLOW_USER_MIGRATION:
+            raise Http404()
         # If they asked for an alias deletion, do it here
         if "remove_alias" in self.request.GET:
             self.identity.remove_alias(self.request.GET["remove_alias"])