diff --git a/clientapi/admin_test.go b/clientapi/admin_test.go
index b957215a..dfc1c33f 100644
--- a/clientapi/admin_test.go
+++ b/clientapi/admin_test.go
@@ -1514,7 +1514,6 @@ func TestAdminCheckUsernameAvailable(t *testing.T) {
 		caches := caching.NewRistrettoCache(128*1024*1024, time.Hour, caching.DisableMetrics)
 		rsAPI := roomserver.NewInternalAPI(processCtx, cfg, cm, &natsInstance, caches, caching.DisableMetrics)
 		rsAPI.SetFederationAPI(nil, nil)
-		// Needed for changing the password/login
 		userAPI := userapi.NewInternalAPI(processCtx, cfg, cm, &natsInstance, rsAPI, nil, caching.DisableMetrics, testIsBlacklistedOrBackingOff)
 		// We mostly need the userAPI for this test, so nil for other APIs/caches etc.
 		AddPublicRoutes(processCtx, routers, cfg, &natsInstance, nil, rsAPI, nil, nil, nil, userAPI, nil, nil, nil, caching.DisableMetrics)
@@ -1572,7 +1571,113 @@ func TestAdminCheckUsernameAvailable(t *testing.T) {
 }
 
 func TestAdminUserDeviceRetrieveCreate(t *testing.T) {
+	alice := test.NewUser(t, test.WithAccountType(uapi.AccountTypeUser))
+	bob := test.NewUser(t, test.WithAccountType(uapi.AccountTypeUser))
+	adminToken := "superSecretAdminToken"
+	ctx := context.Background()
 
+	test.WithAllDatabases(t, func(t *testing.T, dbType test.DBType) {
+		cfg, processCtx, close := testrig.CreateConfig(t, dbType)
+		defer close()
+		natsInstance := jetstream.NATSInstance{}
+		// add a vhost
+		cfg.Global.VirtualHosts = append(cfg.Global.VirtualHosts, &config.VirtualHost{
+			SigningIdentity: fclient.SigningIdentity{ServerName: "vh1"},
+		})
+		// There's no need to add a full config for msc3861 as we need only an admin token
+		cfg.ClientAPI.MSCs.MSCs = []string{"msc3861"}
+		cfg.ClientAPI.MSCs.MSC3861 = &config.MSC3861{AdminToken: adminToken}
+
+		routers := httputil.NewRouters()
+		cm := sqlutil.NewConnectionManager(processCtx, cfg.Global.DatabaseOptions)
+		caches := caching.NewRistrettoCache(128*1024*1024, time.Hour, caching.DisableMetrics)
+		rsAPI := roomserver.NewInternalAPI(processCtx, cfg, cm, &natsInstance, caches, caching.DisableMetrics)
+		rsAPI.SetFederationAPI(nil, nil)
+		userAPI := userapi.NewInternalAPI(processCtx, cfg, cm, &natsInstance, rsAPI, nil, caching.DisableMetrics, testIsBlacklistedOrBackingOff)
+		// We mostly need the userAPI for this test, so nil for other APIs/caches etc.
+		AddPublicRoutes(processCtx, routers, cfg, &natsInstance, nil, rsAPI, nil, nil, nil, userAPI, nil, nil, nil, caching.DisableMetrics)
+
+		for _, u := range []*test.User{alice, bob} {
+			userRes := &uapi.PerformAccountCreationResponse{}
+			if err := userAPI.PerformAccountCreation(ctx, &uapi.PerformAccountCreationRequest{
+				AccountType: u.AccountType,
+				Localpart:   u.Localpart,
+				ServerName:  cfg.Global.ServerName,
+				Password:    "",
+			}, userRes); err != nil {
+				t.Errorf("failed to create account: %s", err)
+			}
+		}
+
+		t.Run("Missing auth token", func(t *testing.T) {
+			req := test.NewRequest(t, http.MethodGet, "/_synapse/admin/v2/users/"+alice.ID+"/devices")
+			rec := httptest.NewRecorder()
+			routers.SynapseAdmin.ServeHTTP(rec, req)
+			t.Logf("%s", rec.Body.String())
+			if rec.Code != http.StatusUnauthorized {
+				t.Fatalf("expected http status %d, got %d: %s", http.StatusUnauthorized, rec.Code, rec.Body.String())
+			}
+			var b spec.MatrixError
+			_ = json.NewDecoder(rec.Body).Decode(&b)
+			if b.ErrCode != spec.ErrorMissingToken {
+				t.Fatalf("expected error code %s, got %s", spec.ErrorMissingToken, b.ErrCode)
+			}
+		})
+
+		t.Run("Retrieve device", func(t *testing.T) {
+			var deviceRes uapi.PerformDeviceCreationResponse
+			if err := userAPI.PerformDeviceCreation(ctx, &uapi.PerformDeviceCreationRequest{
+				Localpart:  alice.Localpart,
+				ServerName: cfg.Global.ServerName,
+			}, &deviceRes); err != nil {
+				t.Errorf("failed to create account: %s", err)
+			}
+			req := test.NewRequest(t, http.MethodGet, "/_synapse/admin/v2/users/"+alice.ID+"/devices")
+			req.Header.Set("Authorization", "Bearer "+adminToken)
+
+			rec := httptest.NewRecorder()
+			routers.SynapseAdmin.ServeHTTP(rec, req)
+			t.Logf("%s", rec.Body.String())
+			var body struct {
+				Total   int `json:"total"`
+				Devices []struct {
+					DeviceID string `json:"device_id"`
+				} `json:"devices"`
+			}
+			_ = json.NewDecoder(rec.Body).Decode(&body)
+			if body.Total != 1 {
+				t.Errorf("expected 1 device, got %d", body.Total)
+			}
+			if len(body.Devices) != 1 {
+				t.Errorf("expected 1 device, got %d", len(body.Devices))
+			}
+		})
+
+		t.Run("Create device", func(t *testing.T) {
+			reqBody := struct {
+				DeviceID string `json:"device_id"`
+			}{DeviceID: "devBob"}
+			req := test.NewRequest(t, http.MethodPost, "/_synapse/admin/v2/users/"+bob.ID+"/devices", test.WithJSONBody(t, reqBody))
+			req.Header.Set("Authorization", "Bearer "+adminToken)
+
+			rec := httptest.NewRecorder()
+			routers.SynapseAdmin.ServeHTTP(rec, req)
+			t.Logf("%s", rec.Body.String())
+			if rec.Code != http.StatusCreated {
+				t.Fatalf("expected HTTP status %d, got %d: %s", http.StatusCreated, rec.Code, rec.Body.String())
+			}
+
+			var res uapi.QueryDevicesResponse
+			_ = userAPI.QueryDevices(ctx, &uapi.QueryDevicesRequest{UserID: bob.ID}, &res)
+			if len(res.Devices) != 1 {
+				t.Errorf("expected 1 device, got %d", len(res.Devices))
+			}
+			if res.Devices[0].ID != "devBob" {
+				t.Errorf("expected device to be devBob, got %s", res.Devices[0].ID)
+			}
+		})
+
+	})
 }
 
 func TestAdminUserDeviceDelete(t *testing.T) {