diff --git a/api/v1beta1/azuremanagedmachinepool_types.go b/api/v1beta1/azuremanagedmachinepool_types.go
index b45f39bae6a..086ebe9d134 100644
--- a/api/v1beta1/azuremanagedmachinepool_types.go
+++ b/api/v1beta1/azuremanagedmachinepool_types.go
@@ -510,6 +510,11 @@ type AzureManagedMachinePoolSpec struct {
 	// +optional
 	EnableNodePublicIP *bool `json:"enableNodePublicIP,omitempty"`
 
+	// EnableFIPS allows the ability to use FIPS enabled virtual machines.
+	// Immutable.
+	// +optional
+	EnableFIPS *bool `json:"enableFIPS,omitempty"`
+
 	// NodePublicIPPrefixID specifies the public IP prefix resource ID which VM nodes should use IPs from.
 	// Immutable.
 	// +optional
diff --git a/api/v1beta1/azuremanagedmachinepool_webhook.go b/api/v1beta1/azuremanagedmachinepool_webhook.go
index a62158e1ba5..5d14c9cbca9 100644
--- a/api/v1beta1/azuremanagedmachinepool_webhook.go
+++ b/api/v1beta1/azuremanagedmachinepool_webhook.go
@@ -235,6 +235,12 @@ func (mw *azureManagedMachinePoolWebhook) ValidateUpdate(ctx context.Context, ol
 		m.Spec.EnableNodePublicIP); err != nil {
 		allErrs = append(allErrs, err)
 	}
+	if err := webhookutils.ValidateImmutable(
+		field.NewPath("Spec", "EnableFIPS"),
+		old.Spec.EnableFIPS,
+		m.Spec.EnableFIPS); err != nil {
+		allErrs = append(allErrs, err)
+	}
 	if err := webhookutils.ValidateImmutable(
 		field.NewPath("Spec", "NodePublicIPPrefixID"),
 		old.Spec.NodePublicIPPrefixID,
diff --git a/api/v1beta1/azuremanagedmachinepool_webhook_test.go b/api/v1beta1/azuremanagedmachinepool_webhook_test.go
index 3b89ccb552e..d72dddfe997 100644
--- a/api/v1beta1/azuremanagedmachinepool_webhook_test.go
+++ b/api/v1beta1/azuremanagedmachinepool_webhook_test.go
@@ -462,6 +462,34 @@ func TestAzureManagedMachinePoolUpdatingWebhook(t *testing.T) {
 			},
 			wantErr: true,
 		},
+		{
+			name: "Unexpected error, value EnableFIPS is unchanged",
+			new: &AzureManagedMachinePool{
+				Spec: AzureManagedMachinePoolSpec{
+					EnableFIPS: pointer.Bool(true),
+				},
+			},
+			old: &AzureManagedMachinePool{
+				Spec: AzureManagedMachinePoolSpec{
+					EnableFIPS: pointer.Bool(true),
+				},
+			},
+			wantErr: false,
+		},
+		{
+			name: "EnableFIPS feature is immutable and currently enabled on this agentpool",
+			new: &AzureManagedMachinePool{
+				Spec: AzureManagedMachinePoolSpec{
+					EnableFIPS: pointer.Bool(false),
+				},
+			},
+			old: &AzureManagedMachinePool{
+				Spec: AzureManagedMachinePoolSpec{
+					EnableFIPS: pointer.Bool(true),
+				},
+			},
+			wantErr: true,
+		},
 		{
 			name: "NodeTaints are mutable",
 			new: &AzureManagedMachinePool{
diff --git a/api/v1beta1/zz_generated.deepcopy.go b/api/v1beta1/zz_generated.deepcopy.go
index 3c9fa9abc8c..b15ad70cfa2 100644
--- a/api/v1beta1/zz_generated.deepcopy.go
+++ b/api/v1beta1/zz_generated.deepcopy.go
@@ -23,7 +23,7 @@ package v1beta1
 
 import (
 	corev1 "k8s.io/api/core/v1"
-	"k8s.io/apimachinery/pkg/apis/meta/v1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	apiv1beta1 "sigs.k8s.io/cluster-api/api/v1beta1"
 	"sigs.k8s.io/cluster-api/errors"
@@ -1402,6 +1402,11 @@ func (in *AzureManagedMachinePoolSpec) DeepCopyInto(out *AzureManagedMachinePool
 		*out = new(bool)
 		**out = **in
 	}
+	if in.EnableFIPS != nil {
+		in, out := &in.EnableFIPS, &out.EnableFIPS
+		*out = new(bool)
+		**out = **in
+	}
 	if in.NodePublicIPPrefixID != nil {
 		in, out := &in.NodePublicIPPrefixID, &out.NodePublicIPPrefixID
 		*out = new(string)
diff --git a/azure/converters/managedagentpool.go b/azure/converters/managedagentpool.go
index b9513c82484..590c8fd4892 100644
--- a/azure/converters/managedagentpool.go
+++ b/azure/converters/managedagentpool.go
@@ -43,6 +43,7 @@ func AgentPoolToManagedClusterAgentPoolProfile(pool containerservice.AgentPool)
 		NodeLabels:           properties.NodeLabels,
 		EnableUltraSSD:       properties.EnableUltraSSD,
 		EnableNodePublicIP:   properties.EnableNodePublicIP,
+		EnableFIPS:           properties.EnableFIPS,
 		NodePublicIPPrefixID: properties.NodePublicIPPrefixID,
 		ScaleSetPriority:     properties.ScaleSetPriority,
 		ScaleDownMode:        properties.ScaleDownMode,
diff --git a/azure/scope/managedmachinepool.go b/azure/scope/managedmachinepool.go
index a09cba4a8a7..5796af38b2f 100644
--- a/azure/scope/managedmachinepool.go
+++ b/azure/scope/managedmachinepool.go
@@ -187,6 +187,7 @@ func buildAgentPoolSpec(managedControlPlane *infrav1.AzureManagedControlPlane,
 		EnableUltraSSD:       managedMachinePool.Spec.EnableUltraSSD,
 		Headers:              maps.FilterByKeyPrefix(agentPoolAnnotations, infrav1.CustomHeaderPrefix),
 		EnableNodePublicIP:   managedMachinePool.Spec.EnableNodePublicIP,
+		EnableFIPS:           managedMachinePool.Spec.EnableFIPS,
 		NodePublicIPPrefixID: managedMachinePool.Spec.NodePublicIPPrefixID,
 		ScaleSetPriority:     managedMachinePool.Spec.ScaleSetPriority,
 		ScaleDownMode:        managedMachinePool.Spec.ScaleDownMode,
diff --git a/azure/services/agentpools/spec.go b/azure/services/agentpools/spec.go
index df444f49b0a..f12aa824078 100644
--- a/azure/services/agentpools/spec.go
+++ b/azure/services/agentpools/spec.go
@@ -124,6 +124,9 @@ type AgentPoolSpec struct {
 	// EnableNodePublicIP controls whether or not nodes in the agent pool each have a public IP address.
 	EnableNodePublicIP *bool `json:"enableNodePublicIP,omitempty"`
 
+	// EnableFIPS allows the ability to use FIPS enabled virtual machines.
+	EnableFIPS *bool `json:"EnableFIPS,omitempty"`
+
 	// NodePublicIPPrefixID specifies the public IP prefix resource ID which VM nodes should use IPs from.
 	NodePublicIPPrefixID *string `json:"nodePublicIPPrefixID,omitempty"`
 
diff --git a/config/crd/bases/infrastructure.cluster.x-k8s.io_azuremanagedmachinepools.yaml b/config/crd/bases/infrastructure.cluster.x-k8s.io_azuremanagedmachinepools.yaml
index 16149daea62..25fd24b4cb0 100644
--- a/config/crd/bases/infrastructure.cluster.x-k8s.io_azuremanagedmachinepools.yaml
+++ b/config/crd/bases/infrastructure.cluster.x-k8s.io_azuremanagedmachinepools.yaml
@@ -62,6 +62,10 @@ spec:
                 description: EnableNodePublicIP controls whether or not nodes in the
                   pool each have a public IP address. Immutable.
                 type: boolean
+              enableFIPS:
+                description: allows the ability to use FIPS enabled virtual machines.
+                  Immutable.
+                type: boolean
               enableUltraSSD:
                 description: EnableUltraSSD enables the storage type UltraSSD_LRS
                   for the agent pool. Immutable.
diff --git a/templates/test/ci/cluster-template-prow-aks.yaml b/templates/test/ci/cluster-template-prow-aks.yaml
index 2d31ecbc4ae..16f9f751f19 100644
--- a/templates/test/ci/cluster-template-prow-aks.yaml
+++ b/templates/test/ci/cluster-template-prow-aks.yaml
@@ -76,6 +76,7 @@ spec:
   - "1"
   - "2"
   enableNodePublicIP: false
+  enableFIPS: false
   enableUltraSSD: true
   maxPods: 30
   mode: System
@@ -111,6 +112,7 @@ metadata:
   namespace: default
 spec:
   enableNodePublicIP: false
+  enableFIPS: false
   kubeletConfig:
     allowedUnsafeSysctls:
     - net.*