diff --git a/vmware_nsx/plugins/nsx_v3/plugin.py b/vmware_nsx/plugins/nsx_v3/plugin.py
index c642bcf1df..c817960133 100644
--- a/vmware_nsx/plugins/nsx_v3/plugin.py
+++ b/vmware_nsx/plugins/nsx_v3/plugin.py
@@ -1733,6 +1733,14 @@ class NsxV3Plugin(agentschedulers_db.AZDhcpAgentSchedulerDbMixin,
             if not utils.is_ipv4_ip_address(ip):
                 raise nsx_exc.InvalidIPAddress(ip_address=ip)
 
+    def _provider_sgs_specified(self, port_data):
+        # checks if security groups were updated adding/modifying
+        # security groups, port security is set and port has ip
+        provider_sgs_specified = (validators.is_attr_set(
+            port_data.get(provider_sg.PROVIDER_SECURITYGROUPS)) and
+            port_data.get(provider_sg.PROVIDER_SECURITYGROUPS) != [])
+        return provider_sgs_specified
+
     def _create_port_preprocess_security(
             self, context, port, port_data, neutron_db):
         (port_security, has_ip) = self._determine_port_security_and_has_ip(
@@ -1758,10 +1766,8 @@ class NsxV3Plugin(agentschedulers_db.AZDhcpAgentSchedulerDbMixin,
             self._ensure_default_security_group_on_port(context, port)
             (sgids, psgids) = self._get_port_security_groups_lists(
                 context, port)
-        # FIXME(roeyc): Also raise when provider security-groups specified but
-        # port-security is disabled.
-        elif self._check_update_has_security_groups(
-                {'port': port_data}):
+        elif (self._check_update_has_security_groups({'port': port_data}) or
+              self._provider_sgs_specified(port_data)):
             raise psec_exc.PortSecurityAndIPRequiredForSecurityGroups()
         else:
             sgids = psgids = []
@@ -2352,9 +2358,7 @@ class NsxV3Plugin(agentschedulers_db.AZDhcpAgentSchedulerDbMixin,
 
         # checks if security groups were updated adding/modifying
         # security groups, port security is set and port has ip
-        provider_sgs_specified = (validators.is_attr_set(
-            port_data.get(provider_sg.PROVIDER_SECURITYGROUPS)) and
-            port['port'][provider_sg.PROVIDER_SECURITYGROUPS] != [])
+        provider_sgs_specified = self._provider_sgs_specified(port_data)
         if (validate_port_sec and
             not (has_ip and updated_port[psec.PORTSECURITY])):
             if has_security_groups or provider_sgs_specified: