diff --git a/.gitea/workflows/ci.yaml.old b/.gitea/workflows/ci.yaml.old
deleted file mode 100644
index f9f27eb..0000000
--- a/.gitea/workflows/ci.yaml.old
+++ /dev/null
@@ -1,42 +0,0 @@
-name: CI Build and Deploy
-
-on:
-  push:
-    branches:
-      - master
-
-jobs:
-  build:
-    runs-on: host
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v3
-
-      - name: Build
-        run: dotnet build AdPlatformServers.sln --configuration Release
-
-      - name: Build Images
-        run: |
-          podman build -t adplatform/gateway:latest -f Gateway/Dockerfile .
-          podman build -t adplatform/management:latest -f Management/Dockerfile .
-          podman build -t adplatform/creative:latest -f Creative/Dockerfile .
-          podman build -t adplatform/googleapi:latest -f GoogleApi/Dockerfile .
-          podman build -t adplatform/intelligenceapi:latest -f IntelligenceApi/Dockerfile .
-          podman build -t adplatform/metaapi:latest -f MetaApi/Dockerfile .
-          podman build -t adplatform/tiktokapi:latest -f TikTokApi/Dockerfile .
-          podman build -t adplatform/registration:latest -f Registration/Dockerfile .
-
-      - name: Transfer Images to App Server
-        run: |
-          podman save adplatform/gateway:latest | ssh -i ~/.ssh/gitea_runner root@10.10.25.211 "podman load"
-          podman save adplatform/management:latest | ssh -i ~/.ssh/gitea_runner root@10.10.25.211 "podman load"
-          podman save adplatform/creative:latest | ssh -i ~/.ssh/gitea_runner root@10.10.25.211 "podman load"
-          podman save adplatform/googleapi:latest | ssh -i ~/.ssh/gitea_runner root@10.10.25.211 "podman load"
-          podman save adplatform/intelligenceapi:latest | ssh -i ~/.ssh/gitea_runner root@10.10.25.211 "podman load"
-          podman save adplatform/metaapi:latest | ssh -i ~/.ssh/gitea_runner root@10.10.25.211 "podman load"
-          podman save adplatform/tiktokapi:latest | ssh -i ~/.ssh/gitea_runner root@10.10.25.211 "podman load"
-          podman save adplatform/registration:latest | ssh -i ~/.ssh/gitea_runner root@10.10.25.211 "podman load"
-
-      - name: Deploy on App Server
-        run: |
-          ssh -i ~/.ssh/gitea_runner root@10.10.25.211 "cd /opt/adplatform && podman-compose down && podman-compose up -d"
\ No newline at end of file
diff --git a/Management/Management.zip b/Management/Management.zip
new file mode 100644
index 0000000..7ac81e0
Binary files /dev/null and b/Management/Management.zip differ
diff --git a/Management/Security/ClientAuthMiddleware.cs b/Management/Security/ClientAuthMiddleware.cs
index 14aa53a..148be16 100644
--- a/Management/Security/ClientAuthMiddleware.cs
+++ b/Management/Security/ClientAuthMiddleware.cs
@@ -255,7 +255,7 @@ public sealed class ClientAuthMiddleware
 
         var tenantId = _config["Auth:Staff:TenantId"];
         var clientId = _config["Auth:Staff:ClientId"];
-        var instance = _config["Auth:Staff:Instance"] ?? "https://usimclients.ciamlogin.com/";
+        var instance = _config["Auth:Staff:Instance"] ?? "https://login.microsoftonline.com/";
 
         if (string.IsNullOrWhiteSpace(tenantId) || string.IsNullOrWhiteSpace(clientId))
             return false;
diff --git a/Management/appsettings.json b/Management/appsettings.json
index c9252aa..39353bf 100644
--- a/Management/appsettings.json
+++ b/Management/appsettings.json
@@ -10,22 +10,26 @@
     "AllowDevBypass": false,
 
     /*
-     * STAFF IDENTITY — Entra External ID (dev) / Entra org tenant (prod)
+     * STAFF IDENTITY - Microsoft Entra ID (positivespend tenant)
      *
-     * PRODUCTION MIGRATION: update these three environment variables only.
-     * No code changes required.
+     * App registration: AdPlatform Management Staff API (af95fa13) in positivespend tenant f56a3c51.
+     * The Tech SPA (846a3677) authenticates against this same tenant and
+     * requests scope api://af95fa13-.../access_as_user.
      *
-     *   Auth__Staff__Instance  →  https://login.microsoftonline.com/
-     *   Auth__Staff__TenantId  →  new company org tenant ID
-     *   Auth__Staff__ClientId  →  staff app registration in org tenant
+     * Management validates JWTs:
+     *   issuer    = login.microsoftonline.com/f56a3c51/v2.0
+     *   audience  = af95fa13 or api://af95fa13
+     *   roles     = Staff.Admin | Staff.Tech
      *
-     * DEV: CIAM tenant used as placeholder (staff/client login looks identical).
-     * The API-level audience isolation is real regardless of tenant.
+     * These are the correct defaults - also set as env vars on the container:
+     *   Auth__Staff__Instance  = https://login.microsoftonline.com/
+     *   Auth__Staff__TenantId  = f56a3c51-9b5c-4356-920f-b4dcf932a96b
+     *   Auth__Staff__ClientId  = af95fa13-2ef4-4911-b137-7acc6a784cfa
      */
     "Staff": {
-      "Instance": "https://usimclients.ciamlogin.com/",
-      "TenantId": "891f98f1-ed34-42a1-9b6c-28b0554d92c2",
-      "ClientId": "STAFF_APP_CLIENT_ID"
+      "Instance": "https://login.microsoftonline.com/",
+      "TenantId": "f56a3c51-9b5c-4356-920f-b4dcf932a96b",
+      "ClientId": "af95fa13-2ef4-4911-b137-7acc6a784cfa"
     }
   },