Can I configure policies with effects “Modify” or “DeployIfNotExists” to use user-assigned managed identity instead of an automatically created managed identity?

[sorcerer134]

I have few policies with effect as "Modify" in 8 management groups/scopes. And I noticed that EPAC is automatically creating a managed identity for each scope as the effect is "Modify"

So I wanted to know if I can use/reference a single managed identity that I created in one of the subscription?

Thanks in advance!

[stateofthearb]

Yes you can https://azure.github.io/enterprise-azure-policy-as-code/policy-assignments/#user-assigned-managed-identities

but just note it will not create the role assignments for you like it does for system assigned.

https://azure.github.io/enterprise-azure-policy-as-code/policy-assignments/
Role Assignments for user-assigned Managed Identities (UAMI) are not managed by EPAC, and will not generate a roles-plan.json file.

[sorcerer134]

Thanks a bunch, I'll check it out!!!