diff --git a/azure/services/managedclusters/managedclusters.go b/azure/services/managedclusters/managedclusters.go
index 288da7e5ec5..34cad39b400 100644
--- a/azure/services/managedclusters/managedclusters.go
+++ b/azure/services/managedclusters/managedclusters.go
@@ -93,6 +93,14 @@ func (s *Service) Reconcile(ctx context.Context) error {
 			Host: pointer.StringDeref(managedCluster.ManagedClusterProperties.Fqdn, ""),
 			Port: 443,
 		}
+		if managedCluster.ManagedClusterProperties.APIServerAccessProfile != nil &&
+			pointer.BoolDeref(managedCluster.ManagedClusterProperties.APIServerAccessProfile.EnablePrivateCluster, false) &&
+			!pointer.BoolDeref(managedCluster.ManagedClusterProperties.APIServerAccessProfile.EnablePrivateClusterPublicFQDN, false) {
+			endpoint = clusterv1.APIEndpoint{
+				Host: pointer.StringDeref(managedCluster.ManagedClusterProperties.PrivateFQDN, ""),
+				Port: 443,
+			}
+		}
 		s.Scope.SetControlPlaneEndpoint(endpoint)
 
 		// Update kubeconfig data
diff --git a/azure/services/managedclusters/managedclusters_test.go b/azure/services/managedclusters/managedclusters_test.go
index 54b192e1e4f..cd2ba228355 100644
--- a/azure/services/managedclusters/managedclusters_test.go
+++ b/azure/services/managedclusters/managedclusters_test.go
@@ -82,6 +82,36 @@ func TestReconcile(t *testing.T) {
 				s.UpdatePutStatus(infrav1.ManagedClusterRunningCondition, serviceName, nil)
 			},
 		},
+		{
+			name:          "create managed private cluster succeeds",
+			expectedError: "",
+			expect: func(m *mock_managedclusters.MockCredentialGetterMockRecorder, s *mock_managedclusters.MockManagedClusterScopeMockRecorder, r *mock_async.MockReconcilerMockRecorder) {
+				s.ManagedClusterSpec().Return(fakeManagedClusterSpec)
+				r.CreateOrUpdateResource(gomockinternal.AContext(), fakeManagedClusterSpec, serviceName).Return(containerservice.ManagedCluster{
+					ManagedClusterProperties: &containerservice.ManagedClusterProperties{
+						APIServerAccessProfile: &containerservice.ManagedClusterAPIServerAccessProfile{
+							EnablePrivateCluster:           pointer.Bool(true),
+							EnablePrivateClusterPublicFQDN: pointer.Bool(false),
+						},
+						PrivateFQDN:       pointer.String("my-managedcluster-fqdn.private"),
+						ProvisioningState: pointer.String("Succeeded"),
+						IdentityProfile: map[string]*containerservice.UserAssignedIdentity{
+							kubeletIdentityKey: {
+								ResourceID: pointer.String("kubelet-id"),
+							},
+						},
+					},
+				}, nil)
+				s.SetControlPlaneEndpoint(clusterv1.APIEndpoint{
+					Host: "my-managedcluster-fqdn.private",
+					Port: 443,
+				})
+				m.GetCredentials(gomockinternal.AContext(), "my-rg", "my-managedcluster").Return([]byte("credentials"), nil)
+				s.SetKubeConfigData([]byte("credentials"))
+				s.SetKubeletIdentity("kubelet-id")
+				s.UpdatePutStatus(infrav1.ManagedClusterRunningCondition, serviceName, nil)
+			},
+		},
 		{
 			name:          "fail to get managed cluster credentials",
 			expectedError: "failed to get credentials for managed cluster: internal server error",