Merge pull request #184893 from eladperets/master

Update Microsoft.PolicyInsights docs

Author: PRMerger4

articles/governance/policy/concepts/definition-structure.md

@@ -603,9 +603,6 @@ The following properties are used with **field count**:
   **count.where** condition expression. A numeric
   [condition](../concepts/definition-structure.md#conditions) should be used.
 
-**Field count** expressions can enumerate the same field array up to three times in a single
-**policyRule** definition.
-
 For more details on how to work with array properties in Azure Policy, including detailed
 explanation on how the **field count** expression is evaluated, see
 [Referencing array resource properties](../how-to/author-policies-for-arrays.md#referencing-array-resource-properties).
@@ -647,11 +644,6 @@ The following properties are used with **value count**:
   `count.where` condition expression. A numeric
   [condition](../concepts/definition-structure.md#conditions) should be used.
 
-The following limits are enforced:
-- Up to 10 **value count** expressions can be used in a single **policyRule** definition.
-- Each **value count** expression can perform up to 100 iterations. This number includes the number
-  of iterations performed by any parent **value count** expressions.
-
 #### The current function
 
 The `current()` function is only available inside the `count.where` condition. It returns the value
@@ -1048,6 +1040,48 @@ resource name to start with the resource group name.
 }
 ```
 
+### Policy rule limits
+
+#### Limits enforced during authoring
+
+Limits to the structure of policy rules are enforced during the authoring or assignment of a policy.
+Attempts to create or assign policy definitions that exceed these limits will fail.
+
+| Limit | Value | Additional details |
+|:---|:---|:---|
+| Condition expressions in the **if** condition | 4096 | |
+| Condition expressions in the **then** block | 128 | Applies to the **existenceCondition** of **AuditIfNotExists** and **DeployIfNotExists** policies |
+| Policy functions per policy rule | 2048 | |
+| Policy function number of parameters | 128 | Example: `[function('parameter1', 'parameter2', ...)]` |
+| Nested policy functions depth | 64 | Example: `[function(nested1(nested2(...)))]` |
+| Policy functions expression string length | 81920 | Example: the length of `"[function(....)]"` |
+| **Field count** expressions per array | 5 | |
+| **Value count** expressions per policy rule | 10 | |
+| **Value count** expression iteration count | 100 | For nested **Value count** expressions, this also includes the iteration count of the parent expression |
+
+#### Limits enforced during evaluation
+
+Limits to the size of objects that are processed by policy functions during policy evaluation. These limits can't always be enforced during authoring since they depend on the evaluated content. For example:
+
+```json
+{
+    "field": "name",
+    "equals": "[concat(field('stringPropertyA'), field('stringPropertyB'))]"
+}
+```
+
+The length of the string created by the `concat()` function depends of the value of properties in the evaluated resource.
+
+| Limit | Value | Example |
+|:---|:---|:---|
+| Length of string returned by a function | 131072 | `[concat(field('longString1'), field('longString2'))]`|
+| Depth of complex objects provided as a parameter to, or returned by a function | 128 | `[union(field('largeObject1'), field('largeObject2'))]` |
+| Number of nodes of complex objects provided as a parameter to, or returned by a function | 32768 | `[concat(field('largeArray1'), field('largeArray2'))]` |
+
+> [!WARNING]
+> Policy that exceed the above limits during evaluation will effectively become a **deny** policy and can block incoming requests.
+> When writing policies with complex functions, be mindful of these limits and test your policies against resources that have the potential to exceed them.
+
 ## Aliases
 
 You use property aliases to access specific properties for a resource type. Aliases enable you to

articles/governance/policy/how-to/remediate-resources.md

@@ -229,8 +229,8 @@ To create a **remediation task**, follow these steps:
 1. On the **New remediation task** page, optional remediation settings are shown: 
 
     - **Failure Threshold percentage** - Used to specify whether the remediation task should fail if the percentage of failures exceeds the given threshold. Provided as a number between 0 to 100. By default, the failure threshold is 100%. 
-    - **Resource Count** - Determines how many non-compliant resources to remediate in a given remediation task. The default value is 500 (the previous limit). The maximum number of is 10,000 resources.
-    - **Parallel Deployments** - Determines how many resources to remediate at the same time. The allowed values are 1 to 15 resources at a time. The default value is 10. 
+    - **Resource Count** - Determines how many non-compliant resources to remediate in a given remediation task. The default value is 500 (the previous limit). The maximum number of is 50,000 resources.
+    - **Parallel Deployments** - Determines how many resources to remediate at the same time. The allowed values are 1 to 30 resources at a time. The default value is 10.
 
    > [!NOTE]
    > These settings cannot be changed once the remediation task has started.

includes/azure-policy-limits.md

@@ -22,4 +22,6 @@ There's a maximum count for each object type for Azure Policy. For definitions,
 | Initiative definition | Parameters | 300 |
 | Policy or initiative assignments | Exclusions (notScopes) | 400 |
 | Policy rule | Nested conditionals | 512 |
-| Remediation task | Resources | 10,000 |
+| Remediation task | Resources | 50,000 |
+
+Policy rules have additional limits to the number of conditions and their complexity. See [Policy rule limits](../articles/governance/policy/concepts/definition-structure.md#policy-rule-limits) for more details.