Merge pull request #294378 from shanhix1/shannon/DINE-permissions

Clarifying DINE permissions used for evaluation vs deployment

Author: prmerger-automator[bot]

articles/governance/policy/concepts/assignment-structure.md

@@ -372,6 +372,12 @@ Assignments using a system-assigned managed identity must also specify a top-lev
 },
 ```
 
+> [!NOTE]
+>
+> For a `deployIfNotExists` policy, the assignment identity is always used for the ARM Template deployment. However, when the target resource is created or updated, the requestor's identity is used for the evaluation. 
+>
+> For example, imagine a policy which deploys `Microsoft.Insights/diagnosticSettings` on `Microsoft.KeyVault/vaults`. When a key vault is created, the caller identity will be used to get the `Microsoft.Insights/diagnosticSettings` resources to evaluate the existence condition of the policy definition. If the conditions are met, then the policy assignment's identity will be used to deploy the diagnostic settings on the key vault. This means that the caller would need `Microsoft.Insights/diagnosticSettings/read permissions`, and the assignment would need `Microsoft.Insights/diagnosticSettings/write permissions`.
+
 ## Next steps
 
 - Learn about the [policy definition structure](./definition-structure-basics.md).

articles/governance/policy/how-to/remediate-resources.md

@@ -12,7 +12,9 @@ Resources that are non-compliant to policies with `deployIfNotExists` or `modify
 
 ## How remediation access control works
 
-When Azure Policy starts a template deployment when evaluating `deployIfNotExists` policies or modifies a resource when evaluating `modify` policies, it does so using a [managed identity](/entra/identity/managed-identities-azure-resources/overview) associated with the policy assignment. Policy assignments use managed identities for Azure resource authorization. You can use either a system-assigned managed identity created by the policy service or a user-assigned identity provided by the user. The managed identity needs to be assigned the minimum Azure role-based access control (Azure RBAC) role required to remediate resources. If the managed identity is missing roles, an error is displayed in the portal during the assignment of the policy or an initiative. When you use the portal, Azure Policy automatically grants the managed identity the listed roles once assignment starts. When you use an Azure software development kit (SDK), the roles must manually be granted to the managed identity. The _location_ of the managed identity doesn't affect its operation with Azure Policy.
+When Azure Policy starts a template deployment when evaluating `deployIfNotExists` policies or modifies a resource when evaluating `modify` policies, it does so using a [managed identity](/entra/identity/managed-identities-azure-resources/overview) associated with the policy assignment. Note that while the assignment's identity is used for resource deployment or modification, it is not used for evaluation of the policy definition and its existence condition. Policy evalutation uses the identity of the caller that initiated the API request.
+
+Policy assignments use managed identities for Azure resource authorization during remediation. You can use either a system-assigned managed identity created by the policy service or a user-assigned identity provided by the user. The managed identity needs to be assigned the minimum Azure role-based access control (Azure RBAC) role required to remediate resources. If the managed identity is missing roles, an error is displayed in the portal during the assignment of the policy or an initiative. When you use the portal, Azure Policy automatically grants the managed identity the listed roles once assignment starts. When you use an Azure software development kit (SDK), the roles must manually be granted to the managed identity. The _location_ of the managed identity doesn't affect its operation with Azure Policy.
 
 > [!NOTE]
 > Changing a policy definition does not automatically update the assignment or the associated managed identity.