diff --git a/app/schemas.py b/app/schemas.py
index b9f75cb2c..7f52b9541 100644
--- a/app/schemas.py
+++ b/app/schemas.py
@@ -110,8 +110,9 @@ class UserUpdateAttributeSchema(BaseSchema):
     class Meta:
         model = models.User
         exclude = (
-            "updated_at", "created_at", "user_to_service",
-            "_password", "verify_codes")
+            'id', 'updated_at', 'created_at', 'user_to_service',
+            '_password', 'verify_codes', 'logged_in_at', 'password_changed_at',
+            'failed_login_count', 'state', 'platform_admin')
         strict = True
 
     @validates('name')
diff --git a/tests/app/dao/test_users_dao.py b/tests/app/dao/test_users_dao.py
index 7d1901f0d..cc814b160 100644
--- a/tests/app/dao/test_users_dao.py
+++ b/tests/app/dao/test_users_dao.py
@@ -64,11 +64,8 @@ def test_get_user_not_exists(notify_api, notify_db, notify_db_session, fake_uuid
 
 
 def test_get_user_invalid_id(notify_api, notify_db, notify_db_session):
-    try:
+    with pytest.raises(DataError):
         get_user_by_id(user_id="blah")
-        pytest.fail("DataError exception not thrown.")
-    except DataError:
-        pass
 
 
 def test_delete_users(notify_api, notify_db, notify_db_session, sample_user):
diff --git a/tests/app/test_schemas.py b/tests/app/test_schemas.py
index 5f2bc4371..1d66f3290 100644
--- a/tests/app/test_schemas.py
+++ b/tests/app/test_schemas.py
@@ -1,5 +1,7 @@
 import pytest
 
+from marshmallow import ValidationError
+
 
 def test_job_schema_doesnt_return_notifications(sample_notification_with_job):
     from app.schemas import job_schema
@@ -32,7 +34,7 @@ def test_notification_schema_adds_api_key_name(sample_notification_with_api_key)
     ('email_address', 'newuser@mail.com'),
     ('mobile_number', '+4407700900460')
 ])
-def test_user_schema_accepts_valid_attributes(user_attribute, user_value):
+def test_user_update_schema_accepts_valid_attribute_pairs(user_attribute, user_value):
     update_dict = {
         user_attribute: user_value
     }
@@ -48,11 +50,28 @@ def test_user_schema_accepts_valid_attributes(user_attribute, user_value):
     ('email_address', 'bademail@...com'),
     ('mobile_number', '+44077009')
 ])
-def test_user_schema_rejects_invalid_attributes(user_attribute, user_value):
+def test_user_update_schema_rejects_invalid_attribute_pairs(user_attribute, user_value):
     from app.schemas import user_update_schema_load_json
     update_dict = {
         user_attribute: user_value
     }
 
-    with pytest.raises(Exception):
+    with pytest.raises(ValidationError):
         data, errors = user_update_schema_load_json.load(update_dict)
+
+
+@pytest.mark.parametrize('user_attribute', [
+    'id', 'updated_at', 'created_at', 'user_to_service',
+    '_password', 'verify_codes', 'logged_in_at', 'password_changed_at',
+    'failed_login_count', 'state', 'platform_admin'
+])
+def test_user_update_schema_rejects_disallowed_attribute_keys(user_attribute):
+    update_dict = {
+        user_attribute: 'not important'
+    }
+    from app.schemas import user_update_schema_load_json
+
+    with pytest.raises(ValidationError) as excinfo:
+        data, errors = user_update_schema_load_json.load(update_dict)
+
+    assert excinfo.value.messages['_schema'][0] == 'Unknown field name {}'.format(user_attribute)