diff --git a/deploy/deploy.sh b/deploy/deploy.sh
index ef8800f..22be8e3 100755
--- a/deploy/deploy.sh
+++ b/deploy/deploy.sh
@@ -175,18 +175,23 @@ docker compose -p "$COMPOSE_PROJECT" up -d
 # ---------- 6. Frontend build + sync ----------
 
 if (( DO_FRONTEND )); then
-    AZ_TENANT=$(get_env_var VITE_AZURE_TENANT_ID); AZ_TENANT=${AZ_TENANT:-$(get_env_var AZURE_TENANT_ID)}
-    AZ_CLIENT=$(get_env_var VITE_AZURE_CLIENT_ID); AZ_CLIENT=${AZ_CLIENT:-$(get_env_var AZURE_CLIENT_ID)}
-    if [[ -z "$AZ_TENANT" || -z "$AZ_CLIENT" ]]; then
-        err "AZURE_TENANT_ID and AZURE_CLIENT_ID must be set in .env to build the SPA."
-        exit 1
-    fi
     # Mirror DEV_AUTH_BYPASS into VITE_DEV_AUTH_BYPASS so a single env var
     # decides both backend token validation and frontend MSAL gating.
     VITE_BYPASS=$(get_env_var VITE_DEV_AUTH_BYPASS)
     [[ -z "$VITE_BYPASS" ]] && VITE_BYPASS=$(get_env_var DEV_AUTH_BYPASS)
     [[ -z "$VITE_BYPASS" ]] && VITE_BYPASS="false"
 
+    AZ_TENANT=$(get_env_var VITE_AZURE_TENANT_ID); AZ_TENANT=${AZ_TENANT:-$(get_env_var AZURE_TENANT_ID)}
+    AZ_CLIENT=$(get_env_var VITE_AZURE_CLIENT_ID); AZ_CLIENT=${AZ_CLIENT:-$(get_env_var AZURE_CLIENT_ID)}
+    # Azure values are only needed when the SPA actually performs MSAL sign-in.
+    # In bypass mode the SPA skips msalInstance.initialize() entirely, so empty
+    # strings are fine.
+    if [[ "$VITE_BYPASS" != "true" ]] && [[ -z "$AZ_TENANT" || -z "$AZ_CLIENT" ]]; then
+        err "AZURE_TENANT_ID and AZURE_CLIENT_ID must be set in .env to build the SPA."
+        err "  (Or set DEV_AUTH_BYPASS=true to skip MSAL entirely for now.)"
+        exit 1
+    fi
+
     log "Building Vite SPA (VITE_DEV_AUTH_BYPASS=${VITE_BYPASS}) in a one-shot node:20 container…"
     docker run --rm \
         -v "$REPO_ROOT/frontend:/app" \