Update articles/governance/policy/concepts/assignment-structure.md

shanhix1 · davidsmatlak · web-flow · commit 73c2d4012285 · 2025-02-14T16:09:11.000-08:00
Co-authored-by: David Smatlak &lt;45012333+davidsmatlak@users.noreply.github.com&gt;
diff --git a/articles/governance/policy/concepts/assignment-structure.md b/articles/governance/policy/concepts/assignment-structure.md
@@ -374,7 +374,7 @@ Assignments using a system-assigned managed identity must also specify a top-lev
 
 > [!NOTE]
 >
-> For a _deployIfNotExists_ policy, the assignment identity is always used for the ARM Template deployment. However, when the target resource is created or updated, the requestor's identity is used for the evaluation. 
+> For a `deployIfNotExists` policy, the assignment identity is always used for the ARM Template deployment. However, when the target resource is created or updated, the requestor's identity is used for the evaluation. 
 >
 > For example, imagine a policy which deploys Microsoft.Insights/diagnosticSettings on Microsoft.KeyVault/vaults. When a key vault is created, the caller identity will be used to get the Microsoft.Insights/diagnosticSettings resources to evaluate the existence condition of the policy definition. If the conditions are met, then the policy assignment's identity will be used to deploy the diagnostic settings on the key vault. This means that the caller would need Microsoft.Insights/diagnosticSettings/read permissions, and the assignment would need Microsoft.Insights/diagnosticSettings/write permissions.
 

Original file line number	Diff line number	Diff line change
`@@ -374,7 +374,7 @@ Assignments using a system-assigned managed identity must also specify a top-lev`
`374`	`374`
`375`	`375`	`> [!NOTE]`
`376`	`376`	`>`
`377`		`-> For a _deployIfNotExists_ policy, the assignment identity is always used for the ARM Template deployment. However, when the target resource is created or updated, the requestor's identity is used for the evaluation.`
	`377`	+> For a `deployIfNotExists` policy, the assignment identity is always used for the ARM Template deployment. However, when the target resource is created or updated, the requestor's identity is used for the evaluation.
`378`	`378`	`>`
`379`	`379`	> For example, imagine a policy which deploys Microsoft.Insights/diagnosticSettings on Microsoft.KeyVault/vaults. When a key vault is created, the caller identity will be used to get the Microsoft.Insights/diagnosticSettings resources to evaluate the existence condition of the policy definition. If the conditions are met, then the policy assignment's identity will be used to deploy the diagnostic settings on the key vault. This means that the caller would need Microsoft.Insights/diagnosticSettings/read permissions, and the assignment would need Microsoft.Insights/diagnosticSettings/write permissions.
`380`	`380`