diff --git a/packages/crm-service/src/auth/guards/tenant.guard.ts b/packages/crm-service/src/auth/guards/tenant.guard.ts
index 3629e84..7a5de51 100644
--- a/packages/crm-service/src/auth/guards/tenant.guard.ts
+++ b/packages/crm-service/src/auth/guards/tenant.guard.ts
@@ -12,14 +12,12 @@ export class TenantGuard implements CanActivate {
     const request = context.switchToHttp().getRequest();
     const user = request.user as JwtPayload;
 
-    // PLATFORM_ADMIN hat Zugriff auf alle Tenants
-    if (user?.role === 'PLATFORM_ADMIN') {
-      return true;
-    }
-
-    // Alle anderen User muessen eine tenantId haben
+    // Alle User (auch PLATFORM_ADMIN) muessen eine tenantId haben
+    // um auf tenant-spezifische CRM-Ressourcen zuzugreifen.
     if (!user?.tenantId) {
-      throw new ForbiddenException('Kein Mandant zugeordnet');
+      throw new ForbiddenException(
+        'Kein Mandant zugeordnet. Bitte mit einem mandanten-gebundenen Account anmelden.',
+      );
     }
 
     return true;
diff --git a/packages/crm-service/src/lexware/lexware-contacts.service.ts b/packages/crm-service/src/lexware/lexware-contacts.service.ts
index 1be6e5f..3414296 100644
--- a/packages/crm-service/src/lexware/lexware-contacts.service.ts
+++ b/packages/crm-service/src/lexware/lexware-contacts.service.ts
@@ -7,6 +7,7 @@ import {
   Logger,
   NotFoundException,
   ConflictException,
+  BadRequestException,
 } from '@nestjs/common';
 import { CrmPrismaService } from '../prisma/crm-prisma.service';
 import { LexwareClientService } from './lexware-client.service';
@@ -213,6 +214,12 @@ export class LexwareContactsService {
     lexwareContactId: string,
     userId: string,
   ) {
+    if (!tenantId) {
+      throw new BadRequestException(
+        'tenantId fehlt. Bitte mit einem mandanten-gebundenen Account anmelden.',
+      );
+    }
+
     // Pruefe ob bereits verknuepft
     const existing = await this.prisma.company.findFirst({
       where: { tenantId, lexwareContactId },
@@ -246,6 +253,12 @@ export class LexwareContactsService {
     lexwareContactId: string,
     userId: string,
   ) {
+    if (!tenantId) {
+      throw new BadRequestException(
+        'tenantId fehlt. Bitte mit einem mandanten-gebundenen Account anmelden.',
+      );
+    }
+
     const existing = await this.prisma.contact.findFirst({
       where: { tenantId, lexwareContactId },
     });