diff --git a/.github/workflows/dogfood-deploy.yml b/.github/workflows/dogfood-deploy.yml
index 6cbcffe5e1..46e644479a 100644
--- a/.github/workflows/dogfood-deploy.yml
+++ b/.github/workflows/dogfood-deploy.yml
@@ -37,6 +37,7 @@ env:
   TF_VAR_android_service_credentials: ${{ secrets.FLEET_DEV_ANDROID_SERVICE_CREDENTIALS }}
   TF_VAR_cloudfront_public_key: ${{ secrets.CLOUDFRONT_SIGNING_PUBLIC_KEY }}
   TF_VAR_cloudfront_private_key: ${{ secrets.CLOUDFRONT_SIGNING_PRIVATE_KEY }}
+  TF_VAR_entra_api_key: ${{ secrets.DOGFOOD_FLEET_MICROSOFT_COMPLIANCE_PARTNER_PROXY_API_KEY }}
 
 permissions:
   id-token: write
diff --git a/infrastructure/dogfood/terraform/aws-tf-module/entra.tf b/infrastructure/dogfood/terraform/aws-tf-module/entra.tf
new file mode 100644
index 0000000000..14e5769822
--- /dev/null
+++ b/infrastructure/dogfood/terraform/aws-tf-module/entra.tf
@@ -0,0 +1,10 @@
+variable "entra_api_key" {}
+
+resource "aws_secretsmanager_secret" "entra_conditional_access" {
+  name = "dogfood-entra-conditional-access"
+}
+
+resource "aws_secretsmanager_secret_version" "entra_api_key" {
+  secret_id     = aws_secretsmanager_secret.entra_conditional_access.id
+  secret_string = base64encode(var.entra_api_key)
+}
diff --git a/infrastructure/dogfood/terraform/aws-tf-module/main.tf b/infrastructure/dogfood/terraform/aws-tf-module/main.tf
index 63e60c6c50..149116ae99 100644
--- a/infrastructure/dogfood/terraform/aws-tf-module/main.tf
+++ b/infrastructure/dogfood/terraform/aws-tf-module/main.tf
@@ -74,6 +74,8 @@ locals {
     FLEET_WEBHOOK_STATUS_URL        = var.webhook_url
     FLEET_WEBHOOK_RESULT_URL        = var.webhook_url
     FLEET_OSQUERY_RESULT_LOG_PLUGIN = var.webhook_url != "" ? "webhook" : ""
+    # Entra Conditional Access Proxy API Key
+    # FLEET_MICROSOFT_COMPLIANCE_PARTNER_PROXY_API_KEY = aws_secretsmanager_secret.entra_conditional_access.arn
   }
   sentry_secrets = {
     FLEET_SENTRY_DSN = "${aws_secretsmanager_secret.sentry.arn}:FLEET_SENTRY_DSN::"
@@ -165,9 +167,9 @@ module "main" {
     #   container_port   = 8080
     # }]
     software_installers = {
-      bucket_prefix  = "${local.customer}-software-installers-"
-      create_kms_key = true
-      kms_alias      = "${local.customer}-software-installers"
+      bucket_prefix                      = "${local.customer}-software-installers-"
+      create_kms_key                     = true
+      kms_alias                          = "${local.customer}-software-installers"
       enable_bucket_versioning           = true
       expire_noncurrent_versions         = true
       noncurrent_version_expiration_days = 30