diff --git a/app/Services/Intune/TenantPermissionService.php b/app/Services/Intune/TenantPermissionService.php
index 43760c3..32f3a7f 100644
--- a/app/Services/Intune/TenantPermissionService.php
+++ b/app/Services/Intune/TenantPermissionService.php
@@ -44,10 +44,18 @@ public function getGrantedPermissions(Tenant $tenant): array
     public function compare(Tenant $tenant, ?array $grantedStatuses = null, bool $persist = true, bool $liveCheck = false): array
     {
         $required = $this->getRequiredPermissions();
+        $liveCheckFailed = false;
+        $liveCheckDetails = null;
 
         // If liveCheck is requested, fetch actual permissions from Graph
         if ($liveCheck && $grantedStatuses === null) {
             $grantedStatuses = $this->fetchLivePermissions($tenant);
+
+            if (isset($grantedStatuses['__error'])) {
+                $liveCheckFailed = true;
+                $liveCheckDetails = $grantedStatuses['__error']['details'] ?? null;
+                unset($grantedStatuses['__error']);
+            }
         }
 
         $granted = $this->normalizeGrantedStatuses(
@@ -60,8 +68,12 @@ public function compare(Tenant $tenant, ?array $grantedStatuses = null, bool $pe
 
         foreach ($required as $permission) {
             $key = $permission['key'];
-            $status = $granted[$key]['status'] ?? 'missing';
-            $details = $granted[$key]['details'] ?? null;
+            $status = $liveCheckFailed
+                ? 'error'
+                : ($granted[$key]['status'] ?? 'missing');
+            $details = $liveCheckFailed
+                ? ($liveCheckDetails ?? ['source' => 'graph_api'])
+                : ($granted[$key]['details'] ?? null);
 
             if ($persist) {
                 TenantPermission::updateOrCreate(
@@ -175,7 +187,16 @@ private function fetchLivePermissions(Tenant $tenant): array
             );
 
             if (! $response->success) {
-                return [];
+                return [
+                    '__error' => [
+                        'status' => 'error',
+                        'details' => [
+                            'source' => 'graph_api',
+                            'status' => $response->status,
+                            'errors' => $response->errors,
+                        ],
+                    ],
+                ];
             }
 
             $grantedPermissions = $response->data['permissions'] ?? [];
@@ -196,7 +217,15 @@ private function fetchLivePermissions(Tenant $tenant): array
                 'error' => $e->getMessage(),
             ]);
 
-            return [];
+            return [
+                '__error' => [
+                    'status' => 'error',
+                    'details' => [
+                        'source' => 'graph_api',
+                        'message' => $e->getMessage(),
+                    ],
+                ],
+            ];
         }
     }
 }
diff --git a/tests/Feature/Filament/TenantSetupTest.php b/tests/Feature/Filament/TenantSetupTest.php
index df38c39..5661fa2 100644
--- a/tests/Feature/Filament/TenantSetupTest.php
+++ b/tests/Feature/Filament/TenantSetupTest.php
@@ -158,6 +158,8 @@ public function request(string $method, string $path, array $options = []): Grap
         'name' => 'UI Tenant',
     ]);
 
+    config(['intune_permissions.granted_stub' => []]);
+
     $permissions = config('intune_permissions.permissions', []);
     $firstKey = $permissions[0]['key'] ?? 'DeviceManagementConfiguration.ReadWrite.All';