diff --git a/cli/app.go b/cli/app.go
index 4588aa0805b..af493a2dfb1 100644
--- a/cli/app.go
+++ b/cli/app.go
@@ -457,6 +457,25 @@ var app = &cli.App{
 			Usage:           "work with organizations",
 			HideHelpCommand: true,
 			Subcommands: []*cli.Command{
+				{
+					Name:  "auth-service",
+					Usage: "manage auth-service",
+					Subcommands: []*cli.Command{
+						{
+							Name:      "enable",
+							Usage:     "enable auth-service for OAuth applications",
+							UsageText: createUsageText("enable", []string{generalFlagOrgID}, true),
+							Flags: []cli.Flag{
+								&cli.StringFlag{
+									Name:     generalFlagOrgID,
+									Required: true,
+									Usage:    "organization ID tied to OAuth applications",
+								},
+							},
+							Action: createCommandWithT[enableAuthServiceArgs](EnableAuthServiceAction),
+						},
+					},
+				},
 				{
 					Name:  "auth-service",
 					Usage: "manage auth-service",
diff --git a/cli/client.go b/cli/client.go
index 174e7a9224b..88e35d5bb09 100644
--- a/cli/client.go
+++ b/cli/client.go
@@ -190,6 +190,39 @@ func (c *viamClient) organizationsSupportEmailGetAction(cCtx *cli.Context, orgID
 	return nil
 }
 
+type enableAuthServiceArgs struct {
+	OrgID string
+}
+
+// EnableAuthServiceAction corresponds to 'organizations auth-service enable'.
+func EnableAuthServiceAction(cCtx *cli.Context, args enableAuthServiceArgs) error {
+	c, err := newViamClient(cCtx)
+	if err != nil {
+		return err
+	}
+
+	orgID := args.OrgID
+	if orgID == "" {
+		return errors.New("cannot enable auth service without an organization ID")
+	}
+
+	return c.enableAuthServiceAction(cCtx, args.OrgID)
+}
+
+func (c *viamClient) enableAuthServiceAction(cCtx *cli.Context, orgID string) error {
+	if err := c.ensureLoggedIn(); err != nil {
+		return err
+	}
+
+	_, err := c.client.EnableAuthService(cCtx.Context, &apppb.EnableAuthServiceRequest{OrgId: orgID})
+	if err != nil {
+		return err
+	}
+
+	printf(cCtx.App.Writer, "enabled auth service for organization %q:\n", orgID)
+	return nil
+}
+
 type updateBillingServiceArgs struct {
 	OrgID   string
 	Address string
diff --git a/cli/client_test.go b/cli/client_test.go
index 9496faa80ff..0ed61d624b7 100644
--- a/cli/client_test.go
+++ b/cli/client_test.go
@@ -352,6 +352,25 @@ func TestGetLogoAction(t *testing.T) {
 	test.That(t, out.messages[0], test.ShouldContainSubstring, "https://logo.com")
 }
 
+func TestEnableAuthServiceAction(t *testing.T) {
+	enableAuthServiceFunc := func(ctx context.Context, in *apppb.EnableAuthServiceRequest, opts ...grpc.CallOption) (
+		*apppb.EnableAuthServiceResponse, error,
+	) {
+		return &apppb.EnableAuthServiceResponse{}, nil
+	}
+
+	asc := &inject.AppServiceClient{
+		EnableAuthServiceFunc: enableAuthServiceFunc,
+	}
+
+	cCtx, ac, out, errOut := setup(asc, nil, nil, nil, nil, "token")
+
+	test.That(t, ac.enableAuthServiceAction(cCtx, "test-org"), test.ShouldBeNil)
+	test.That(t, len(errOut.messages), test.ShouldEqual, 0)
+	test.That(t, len(out.messages), test.ShouldEqual, 1)
+	test.That(t, out.messages[0], test.ShouldContainSubstring, "enabled auth")
+}
+
 func TestListOAuthAppsAction(t *testing.T) {
 	listOAuthAppFunc := func(ctx context.Context, in *apppb.ListOAuthAppsRequest, opts ...grpc.CallOption) (
 		*apppb.ListOAuthAppsResponse, error,
diff --git a/testutils/inject/app_service_client.go b/testutils/inject/app_service_client.go
index 4ccaf1f8843..d14bb4da81b 100644
--- a/testutils/inject/app_service_client.go
+++ b/testutils/inject/app_service_client.go
@@ -56,6 +56,8 @@ type AppServiceClient struct {
 		opts ...grpc.CallOption) (*apppb.OrganizationSetLogoResponse, error)
 	OrganizationGetLogoFunc func(ctx context.Context, in *apppb.OrganizationGetLogoRequest,
 		opts ...grpc.CallOption) (*apppb.OrganizationGetLogoResponse, error)
+	EnableAuthServiceFunc func(ctx context.Context, in *apppb.EnableAuthServiceRequest,
+		opts ...grpc.CallOption) (*apppb.EnableAuthServiceResponse, error)
 	ListOAuthAppsFunc func(ctx context.Context, in *apppb.ListOAuthAppsRequest,
 		opts ...grpc.CallOption) (*apppb.ListOAuthAppsResponse, error)
 	DeleteOAuthAppFunc func(ctx context.Context, in *apppb.DeleteOAuthAppRequest,
@@ -407,6 +409,16 @@ func (asc *AppServiceClient) OrganizationGetLogo(
 	return asc.OrganizationGetLogoFunc(ctx, in, opts...)
 }
 
+// EnableAuthService calls the injected EnableAuthServiceFunc or the real version.
+func (asc *AppServiceClient) EnableAuthService(
+	ctx context.Context, in *apppb.EnableAuthServiceRequest, opts ...grpc.CallOption,
+) (*apppb.EnableAuthServiceResponse, error) {
+	if asc.EnableAuthServiceFunc == nil {
+		return asc.AppServiceClient.EnableAuthService(ctx, in, opts...)
+	}
+	return asc.EnableAuthServiceFunc(ctx, in, opts...)
+}
+
 // ListOAuthApps calls the injected ListOAuthAppsFunc or the real version.
 func (asc *AppServiceClient) ListOAuthApps(
 	ctx context.Context, in *apppb.ListOAuthAppsRequest, opts ...grpc.CallOption,