diff --git a/infrastructure/dogfood/terraform/aws-tf-module/entra.tf b/infrastructure/dogfood/terraform/aws-tf-module/entra.tf
index 14e5769822..3b9455ded2 100644
--- a/infrastructure/dogfood/terraform/aws-tf-module/entra.tf
+++ b/infrastructure/dogfood/terraform/aws-tf-module/entra.tf
@@ -1,5 +1,19 @@
 variable "entra_api_key" {}
 
+resource "aws_iam_policy" "entra_conditional_access" {
+  name   = "fleet-entra-conditional-access"
+  policy = data.aws_iam_policy_document.entra_conditional_access.json
+}     
+    
+data "aws_iam_policy_document" "entra_conditional_access" {
+  statement {
+    actions = [
+      "secretsmanager:GetSecretValue",
+    ] 
+    resources = [aws_secretsmanager_secret.entra_conditional_access.arn]
+  } 
+} 
+
 resource "aws_secretsmanager_secret" "entra_conditional_access" {
   name = "dogfood-entra-conditional-access"
 }
diff --git a/infrastructure/dogfood/terraform/aws-tf-module/main.tf b/infrastructure/dogfood/terraform/aws-tf-module/main.tf
index 749e2da1e7..2f6883b2c0 100644
--- a/infrastructure/dogfood/terraform/aws-tf-module/main.tf
+++ b/infrastructure/dogfood/terraform/aws-tf-module/main.tf
@@ -152,7 +152,7 @@ module "main" {
     )
     extra_execution_iam_policies = concat(
       module.mdm.extra_execution_iam_policies,
-      [aws_iam_policy.sentry.arn, aws_iam_policy.osquery_sidecar.arn],
+      [aws_iam_policy.sentry.arn, aws_iam_policy.osquery_sidecar.arn, aws_iam_policy.entra_conditional_access.arn],
       module.cloudfront-software-installers.extra_execution_iam_policies,
     ) #, module.saml_auth_proxy.fleet_extra_execution_policies)
     extra_secrets = merge(