diff --git a/data_safe_haven/commands/sre.py b/data_safe_haven/commands/sre.py
index 52942f637e..e519eec3fd 100644
--- a/data_safe_haven/commands/sre.py
+++ b/data_safe_haven/commands/sre.py
@@ -82,9 +82,12 @@ def deploy(
         )
         # Set Entra options
         application = graph_api.get_application_by_name(context.entra_application_name)
-        stack.add_option("azuread:clientId", application["appId"], replace=True)
+        if not application:
+            msg = f"No Entra application '{context.entra_application_name}' was found. Please redeploy your SHM."
+            raise DataSafeHavenConfigError(msg)
+        stack.add_option("azuread:clientId", application.get("appId", ""), replace=True)
         if not context.entra_application_secret:
-            msg = f"No Entra '{context.entra_application_secret_name}' was found. Please redeploy your SHM."
+            msg = f"No Entra application secret '{context.entra_application_secret_name}' was found. Please redeploy your SHM."
             raise DataSafeHavenConfigError(msg)
         stack.add_secret(
             "azuread:clientSecret", context.entra_application_secret, replace=True
diff --git a/data_safe_haven/config/context.py b/data_safe_haven/config/context.py
index 36daa6e035..cadd875260 100644
--- a/data_safe_haven/config/context.py
+++ b/data_safe_haven/config/context.py
@@ -17,15 +17,18 @@
 
 
 class Context(ContextBase, BaseModel, validate_assignment=True):
+    """Context for a Data Safe Haven deployment."""
+
+    entra_application_kvsecret_name: ClassVar[str] = "pulumi-deployment-secret"
+    entra_application_secret_name: ClassVar[str] = "Pulumi Deployment Secret"
+    pulumi_encryption_key_name: ClassVar[str] = "pulumi-encryption-key"
+    pulumi_storage_container_name: ClassVar[str] = "pulumi"
+    storage_container_name: ClassVar[str] = "config"
+
     admin_group_name: EntraGroupName
     description: str
     name: SafeString
     subscription_name: AzureSubscriptionName
-    storage_container_name: ClassVar[str] = "config"
-    pulumi_storage_container_name: ClassVar[str] = "pulumi"
-    pulumi_encryption_key_name: ClassVar[str] = "pulumi-encryption-key"
-    entra_application_secret_name: ClassVar[str] = "Pulumi Deployment Secret"
-    entra_application_kvsecret_name: ClassVar[str] = "pulumi-deployment-secret"
 
     _pulumi_encryption_key = None
     _entra_application_secret = None
@@ -49,7 +52,7 @@ def entra_application_secret(self) -> str:
         return self._entra_application_secret
 
     @entra_application_secret.setter
-    def entra_application_secret(self, application_secret: str):
+    def entra_application_secret(self, application_secret: str) -> None:
         azure_sdk = AzureSdk(subscription_name=self.subscription_name)
         azure_sdk.set_keyvault_secret(
             secret_name=self.entra_application_kvsecret_name,
diff --git a/data_safe_haven/config/dsh_pulumi_config.py b/data_safe_haven/config/dsh_pulumi_config.py
index 63581d31dd..1aae87996c 100644
--- a/data_safe_haven/config/dsh_pulumi_config.py
+++ b/data_safe_haven/config/dsh_pulumi_config.py
@@ -12,6 +12,7 @@ class DSHPulumiConfig(AzureSerialisableModel):
 
     config_type: ClassVar[str] = "Pulumi"
     default_filename: ClassVar[str] = "pulumi.yaml"
+
     encrypted_key: str | None
     projects: dict[str, DSHPulumiProject]
 
diff --git a/data_safe_haven/config/shm_config.py b/data_safe_haven/config/shm_config.py
index 2f5ef85f01..d964a79915 100644
--- a/data_safe_haven/config/shm_config.py
+++ b/data_safe_haven/config/shm_config.py
@@ -11,8 +11,11 @@
 
 
 class SHMConfig(AzureSerialisableModel):
+    """Serialisable config for a Data Safe Haven management component."""
+
     config_type: ClassVar[str] = "SHMConfig"
     default_filename: ClassVar[str] = "shm.yaml"
+
     azure: ConfigSectionAzure
     shm: ConfigSectionSHM
 
diff --git a/data_safe_haven/config/sre_config.py b/data_safe_haven/config/sre_config.py
index 5a5d6367e1..f4ee5ed6c9 100644
--- a/data_safe_haven/config/sre_config.py
+++ b/data_safe_haven/config/sre_config.py
@@ -23,8 +23,11 @@ def sre_config_name(sre_name: str) -> str:
 
 
 class SREConfig(AzureSerialisableModel):
+    """Serialisable config for a secure research environment component."""
+
     config_type: ClassVar[str] = "SREConfig"
     default_filename: ClassVar[str] = "sre.yaml"
+
     azure: ConfigSectionAzure
     description: str
     dockerhub: ConfigSectionDockerHub
diff --git a/pyproject.toml b/pyproject.toml
index c82ed27450..a50eb37b8c 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -162,6 +162,7 @@ module = [
     "pandas.*",
     "psycopg.*",
     "pulumi.*",
+    "pulumi_azuread.*",
     "pulumi_azure_native.*",
     "pulumi_random.*",
     "pulumi_tls.*",