diff --git a/.tofu/platforms/aks/dev/.terraform.tfstate.lock.info b/.tofu/platforms/aks/dev/.terraform.tfstate.lock.info
new file mode 100644
index 0000000..ae7ea29
--- /dev/null
+++ b/.tofu/platforms/aks/dev/.terraform.tfstate.lock.info
@@ -0,0 +1 @@
+{"ID":"7c7a5ed8-5425-abc4-53ed-9cbf76e65e05","Operation":"OperationTypePlan","Info":"","Who":"danijels@PF44RC05","Version":"1.11.6","Created":"2026-04-27T19:11:57.353171472Z","Path":"terraform.tfstate"}
\ No newline at end of file
diff --git a/.tofu/platforms/aks/dev/providers.tf b/.tofu/platforms/aks/dev/providers.tf
index e5f22fb..6fb4c66 100644
--- a/.tofu/platforms/aks/dev/providers.tf
+++ b/.tofu/platforms/aks/dev/providers.tf
@@ -23,3 +23,7 @@ provider "azurerm" {
   #   ARM_SUBSCRIPTION_ID, ARM_TENANT_ID, ARM_CLIENT_ID, ARM_CLIENT_SECRET
   # Or: az login (uses your Azure CLI session)
 }
+
+provider "azuread" {
+  # Uses same Azure CLI session or ARM_TENANT_ID env var
+}
diff --git a/.tofu/platforms/aks/modules/cluster/main.tf b/.tofu/platforms/aks/modules/cluster/main.tf
index f01488d..16c0615 100644
--- a/.tofu/platforms/aks/modules/cluster/main.tf
+++ b/.tofu/platforms/aks/modules/cluster/main.tf
@@ -278,7 +278,7 @@ resource "azuread_application" "keycloak_idp" {
     description          = "Full access to DevOps platform administration"
     display_name         = "DevOps Admins"
     enabled              = true
-    id                   = "a1b2c3d4-0001-4000-8000-devopsadmins0" # stable GUID
+    id                   = "a1b2c3d4-0001-4000-8000-de0ad1000001" # stable GUID
     value                = "devops-admins"
   }
 
@@ -287,7 +287,7 @@ resource "azuread_application" "keycloak_idp" {
     description          = "Developer access to DevOps platform services"
     display_name         = "Developers"
     enabled              = true
-    id                   = "a1b2c3d4-0002-4000-8000-developers000" # stable GUID
+    id                   = "a1b2c3d4-0002-4000-8000-de0e10be0002" # stable GUID
     value                = "developers"
   }
 
@@ -296,7 +296,7 @@ resource "azuread_application" "keycloak_idp" {
     description          = "Read-only access to DevOps platform services"
     display_name         = "Viewers"
     enabled              = true
-    id                   = "a1b2c3d4-0003-4000-8000-viewers000000" # stable GUID
+    id                   = "a1b2c3d4-0003-4000-8000-00e0e0000003" # stable GUID
     value                = "viewers"
   }
 }
diff --git a/.tofu/platforms/aks/prod/providers.tf b/.tofu/platforms/aks/prod/providers.tf
index e5f22fb..6fb4c66 100644
--- a/.tofu/platforms/aks/prod/providers.tf
+++ b/.tofu/platforms/aks/prod/providers.tf
@@ -23,3 +23,7 @@ provider "azurerm" {
   #   ARM_SUBSCRIPTION_ID, ARM_TENANT_ID, ARM_CLIENT_ID, ARM_CLIENT_SECRET
   # Or: az login (uses your Azure CLI session)
 }
+
+provider "azuread" {
+  # Uses same Azure CLI session or ARM_TENANT_ID env var
+}