Added note about DINE permission behavior for evaluation vs deployment

shanhix1 · shanhix1 · commit 7f23b7e485c3 · 2025-02-10T11:28:18.000-08:00
diff --git a/articles/governance/policy/concepts/assignment-structure.md b/articles/governance/policy/concepts/assignment-structure.md
@@ -372,6 +372,12 @@ Assignments using a system-assigned managed identity must also specify a top-lev
 },
 ```
 
+> [!NOTE]
+>
+> For a _deployIfNotExists_ policy, the assignment identity is always used for the ARM Template deployment. However, when the target resource is created or updated, the requestor's identity is used for the evaluation. 
+>
+> For example, imagine a policy which deploys Microsoft.Insights/diagnosticSettings on Microsoft.KeyVault/vaults. When a key vault is created, the caller identity will be used to get the Microsoft.Insights/diagnosticSettings resources to evaluate the existence condition of the policy definition. If the conditions are met, then the policy assignment's identity will be used to deploy the diagnostic settings on the key vault. This means that the caller would need Microsoft.Insights/diagnosticSettings/read permissions, and the assignment would need Microsoft.Insights/diagnosticSettings/write permissions.
+
 ## Next steps
 
 - Learn about the [policy definition structure](./definition-structure-basics.md).
