diff --git a/.github/workflows/teardown.yml b/.github/workflows/teardown.yml
index 9642a2f..e45df34 100644
--- a/.github/workflows/teardown.yml
+++ b/.github/workflows/teardown.yml
@@ -34,6 +34,13 @@ jobs:
       - name: Install azd
         uses: Azure/setup-azd@v2
 
+      - name: Azure login (OIDC)
+        uses: azure/login@v2
+        with:
+          client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+
       - name: azd auth login (OIDC)
         run: |
           azd auth login \
@@ -41,17 +48,21 @@ jobs:
             --tenant-id "$AZURE_TENANT_ID" \
             --federated-credential-provider github
 
-      - name: azd env select
+      - name: azd env select (re-hydrate or create)
         run: |
           azd env select "$AZURE_ENV_NAME" || \
             azd env new "$AZURE_ENV_NAME" \
               --no-prompt \
               --subscription "$AZURE_SUBSCRIPTION_ID"
 
-      - name: azd down --purge --force
-        run: azd down --environment "$AZURE_ENV_NAME" --purge --force --no-prompt
+      # Tolerate missing/partial azd state — the RG delete below is the real safety net.
+      - name: azd down --purge --force (best effort)
+        continue-on-error: true
+        run: azd down --environment "$AZURE_ENV_NAME" --purge --force --no-prompt || true
 
       # Belt-and-braces fallback if azd state was missing or partial.
       - name: Force RG delete (no-op if already gone)
         if: always()
-        run: az group delete --name "rg-$AZURE_ENV_NAME" --yes --no-wait || true
+        run: |
+          az account set --subscription "$AZURE_SUBSCRIPTION_ID"
+          az group delete --name "rg-$AZURE_ENV_NAME" --yes --no-wait || true