diff --git a/.claude/skills/remediation-tool/scripts/onboard-tenant.sh b/.claude/skills/remediation-tool/scripts/onboard-tenant.sh
index c74ac9a..41c5603 100644
--- a/.claude/skills/remediation-tool/scripts/onboard-tenant.sh
+++ b/.claude/skills/remediation-tool/scripts/onboard-tenant.sh
@@ -184,6 +184,8 @@ create_sp_if_missing() {
   fi
 
   echo "  [CREATED] $app_name SP: $new_oid" >&2
+  # Brief pause for Graph replication before granting appRoleAssignments
+  sleep 5
   echo "$new_oid"
 }
 
@@ -199,7 +201,7 @@ grant_app_role() {
   already=$(curl -s --max-time 15 \
     -H "Authorization: Bearer $token" \
     "https://graph.microsoft.com/v1.0/servicePrincipals/$principal_oid/appRoleAssignments" \
-    | jq --arg rid "$role_id" '[.value[] | select(.appRoleId == $rid)] | length > 0')
+    | jq --arg rid "$role_id" '([.value[]? | select(.appRoleId == $rid)] | length) > 0')
 
   if [[ "$already" == "true" ]]; then
     return 0