diff --git a/config/external_name.go b/config/external_name.go
index 36e84828..1ca52045 100644
--- a/config/external_name.go
+++ b/config/external_name.go
@@ -24,7 +24,7 @@ var ExternalNameConfigs = map[string]config.ExternalName{
 	"keycloak_role":                                    config.IdentifierFromProvider,
 	"keycloak_user_groups":                             config.IdentifierFromProvider,
 	"keycloak_user":                                    config.IdentifierFromProvider,
-	"keycloak_default_roles":                           config.IdentifierFromProvider,
+	"keycloak_default_roles":                           config.TemplatedStringAsIdentifier("id", "{{ .parameters.realmId }}/{{ .external_name }}"),
 	"keycloak_oidc_identity_provider":                  config.IdentifierFromProvider,
 	"keycloak_saml_identity_provider":                  config.IdentifierFromProvider,
 	"keycloak_realm_keystore_rsa":                      config.IdentifierFromProvider,
diff --git a/internal/controller/defaults/roles/zz_controller.go b/internal/controller/defaults/roles/zz_controller.go
index f0e0330d..385e1cbb 100755
--- a/internal/controller/defaults/roles/zz_controller.go
+++ b/internal/controller/defaults/roles/zz_controller.go
@@ -32,6 +32,7 @@ import (
 func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	name := managed.ControllerName(v1alpha1.Roles_GroupVersionKind.String())
 	var initializers managed.InitializerChain
+	initializers = append(initializers, managed.NewNameAsExternalName(mgr.GetClient()))
 	cps := []managed.ConnectionPublisher{managed.NewAPISecretPublisher(mgr.GetClient(), mgr.GetScheme())}
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK, connection.WithTLSConfig(o.ESSOptions.TLSConfig)))