diff --git a/src/azure-cli/azure/cli/command_modules/acs/_help.py b/src/azure-cli/azure/cli/command_modules/acs/_help.py
index 91ece750a75..0fbd74a2139 100644
--- a/src/azure-cli/azure/cli/command_modules/acs/_help.py
+++ b/src/azure-cli/azure/cli/command_modules/acs/_help.py
@@ -298,6 +298,8 @@
             monitoring - turn on Log Analytics monitoring. Uses the Log Analytics Default Workspace if it exists, else creates one.
                          Specify "--workspace-resource-id" to use an existing workspace.
                          If monitoring addon is enabled --no-wait argument will have no effect
+            azure-policy - enable Azure policy. The Azure Policy add-on for AKS enables at-scale enforcements and safeguards on your clusters in a centralized, consistent manner.
+                         Learn more at aka.ms/aks/policy.
   - name: --disable-rbac
     type: bool
     short-summary: Disable Kubernetes Role-Based Access Control.
@@ -507,6 +509,8 @@
         monitoring - turn on Log Analytics monitoring. Requires "--workspace-resource-id".
                      If monitoring addon is enabled --no-wait argument will have no effect
         virtual-node - enable AKS Virtual Node. Requires --subnet-name to provide the name of an existing subnet for the Virtual Node to use.
+        azure-policy - enable Azure policy. The Azure Policy add-on for AKS enables at-scale enforcements and safeguards on your clusters in a centralized, consistent manner.
+                     Learn more at aka.ms/aks/policy.
 parameters:
   - name: --addons -a
     type: string
diff --git a/src/azure-cli/azure/cli/command_modules/acs/custom.py b/src/azure-cli/azure/cli/command_modules/acs/custom.py
index 8cccdf08e22..c84ec640a66 100644
--- a/src/azure-cli/azure/cli/command_modules/acs/custom.py
+++ b/src/azure-cli/azure/cli/command_modules/acs/custom.py
@@ -2159,7 +2159,8 @@ def aks_get_credentials(cmd, client, resource_group_name, name, admin=False,
     'http_application_routing': 'httpApplicationRouting',
     'monitoring': 'omsagent',
     'virtual-node': 'aciConnector',
-    'kube-dashboard': 'kubeDashboard'
+    'kube-dashboard': 'kubeDashboard',
+    'azure-policy': 'azurepolicy'
 }
 
 
@@ -2619,6 +2620,9 @@ def _handle_addons_args(cmd, addons_str, subscription_id, resource_group_name, a
     # error out if '--enable-addons=monitoring' isn't set but workspace_resource_id is
     elif workspace_resource_id:
         raise CLIError('"--workspace-resource-id" requires "--enable-addons monitoring".')
+    if 'azure-policy' in addons:
+        addon_profiles['azurepolicy'] = ManagedClusterAddonProfile(enabled=True)
+        addons.remove('azure-policy')
     # error out if any (unrecognized) addons remain
     if addons:
         raise CLIError('"{}" {} not recognized by the --enable-addons argument.'.format(
diff --git a/src/azure-cli/azure/cli/command_modules/acs/tests/latest/test_custom.py b/src/azure-cli/azure/cli/command_modules/acs/tests/latest/test_custom.py
index 2a9090a06ae..047f73e18e8 100644
--- a/src/azure-cli/azure/cli/command_modules/acs/tests/latest/test_custom.py
+++ b/src/azure-cli/azure/cli/command_modules/acs/tests/latest/test_custom.py
@@ -591,7 +591,7 @@ def test_update_addons(self, rg_def, cf_resource_groups, cf_resources):
         addon_profile = instance.addon_profiles['httpApplicationRouting']
         self.assertTrue(addon_profile.enabled)
 
-        # http_application_routing enabled
+        # http_application_routing disabled
         instance = _update_addons(cmd, instance, '00000000-0000-0000-0000-000000000000',
                                   'clitest000001', 'http_application_routing', enable=False)
         addon_profile = instance.addon_profiles['httpApplicationRouting']
@@ -616,6 +616,29 @@ def test_update_addons(self, rg_def, cf_resource_groups, cf_resources):
         self.assertTrue(routing_addon_profile.enabled)
         self.assertEqual(sorted(list(instance.addon_profiles)), ['httpApplicationRouting', 'omsagent'])
 
+        # azurepolicy added
+        instance = _update_addons(cmd, instance, '00000000-0000-0000-0000-000000000000',
+                                  'clitest000001', 'azure-policy', enable=True)
+        azurepolicy_addon_profile = instance.addon_profiles['azurepolicy']
+        self.assertTrue(azurepolicy_addon_profile.enabled)
+        routing_addon_profile = instance.addon_profiles['httpApplicationRouting']
+        self.assertTrue(routing_addon_profile.enabled)
+        monitoring_addon_profile = instance.addon_profiles['omsagent']
+        self.assertFalse(monitoring_addon_profile.enabled)
+
+        # azurepolicy disabled, routing enabled
+        instance = _update_addons(cmd, instance, '00000000-0000-0000-0000-000000000000',
+                                  'clitest000001', 'azure-policy', enable=False)
+        instance = _update_addons(cmd, instance, '00000000-0000-0000-0000-000000000000', 'clitest000001',
+                                  'http_application_routing', enable=True)
+        azurepolicy_addon_profile = instance.addon_profiles['azurepolicy']
+        self.assertFalse(azurepolicy_addon_profile.enabled)
+        monitoring_addon_profile = instance.addon_profiles['omsagent']
+        self.assertFalse(monitoring_addon_profile.enabled)
+        routing_addon_profile = instance.addon_profiles['httpApplicationRouting']
+        self.assertTrue(routing_addon_profile.enabled)
+        self.assertEqual(sorted(list(instance.addon_profiles)), ['azurepolicy', 'httpApplicationRouting', 'omsagent'])
+
         # monitoring enabled and then enabled again should error
         instance = mock.Mock()
         instance.addon_profiles = None