diff --git a/data_safe_haven/infrastructure/project_manager.py b/data_safe_haven/infrastructure/project_manager.py
index dcb3941af2..6008f26cf8 100644
--- a/data_safe_haven/infrastructure/project_manager.py
+++ b/data_safe_haven/infrastructure/project_manager.py
@@ -286,12 +286,29 @@ def destroy(self) -> None:
             raise DataSafeHavenPulumiError(msg) from exc
 
     def ensure_config(self, name: str, value: str, *, secret: bool) -> None:
-        """Ensure that config values have been set, setting them if they do not exist"""
+        """
+        Ensure that config values have been set.
+
+        Values will be set if they do not exist.
+
+        If the value is already set and does not match the `value` argument,
+        `DataSafeHavenPulumiError` will be raised.
+        """
         try:
-            self.stack.get_config(name)
+            existing_value = self.stack.get_config(name).value
         except automation.CommandError:
+            # Set value if it does not already exist
             self.set_config(name, value, secret=secret)
 
+        # If the value does already exist, ensure it is consistent with the declared
+        # value
+        if existing_value != value:
+            msg = (
+                f"Unchangeable configuration option '{name}' not consistent, "
+                f"your configuration: '{value}', Pulumi workspace: '{existing_value}'."
+            )
+            raise DataSafeHavenPulumiError(msg)
+
     def evaluate(self, result: str) -> None:
         """Evaluate a Pulumi operation."""
         if result == "succeeded":
diff --git a/tests/infrastructure/test_project_manager.py b/tests/infrastructure/test_project_manager.py
index 259c5f1b37..8c74a83808 100644
--- a/tests/infrastructure/test_project_manager.py
+++ b/tests/infrastructure/test_project_manager.py
@@ -49,6 +49,22 @@ def test_cleanup(
         )
         assert "Purged Azure Key Vault shmacmedsresandbosecrets." in stdout
 
+    def test_ensure_config(self, sre_project_manager):
+        sre_project_manager.ensure_config(
+            "azure-native:location", "uksouth", secret=False
+        )
+        sre_project_manager.ensure_config("data-safe-haven:variable", "8", secret=False)
+
+    def test_ensure_config_exception(self, sre_project_manager):
+
+        with raises(
+            DataSafeHavenPulumiError,
+            match=r"Unchangeable configuration option 'azure-native:location'.*your configuration: 'ukwest', Pulumi workspace: 'uksouth'",
+        ):
+            sre_project_manager.ensure_config(
+                "azure-native:location", "ukwest", secret=False
+            )
+
     def test_new_project(
         self,
         context_no_secrets,