Merge pull request #313487 from MicrosoftDocs/main

Auto Publish – main to live - 2026-03-21 11:00 UTC

Author: learn-build-service-prod[bot]

articles/governance/policy/concepts/exemption-structure.md

@@ -118,7 +118,41 @@ Exemptions support an optional property `resourceSelectors` that works the same
 }
 ```
 
-Regions can be added or removed from the `resourceLocation` list in the example. Resource selectors allow for greater flexibility of where and how exemptions can be created and managed.
+The follow resource selectors `kinds` are supported in the policy exemptions object:
+- resourceLocation: This property is used to select resources based on their type. Can't be used in the same resource selector as resourceWithoutLocation.
+- resourceType: This property is used to select resources based on their type.
+- resourceWithoutLocation: This property is used to select resources at the subscription level that don't have a location. Currently only supports subscriptionLevelResources. Can't be used in the same resource selector as resourceLocation.
+- in: The list of allowed values for the specified kind. Can't be used with notIn. Can contain up to 50 values.
+- notIn: The list of not-allowed values for the specified kind. Can't be used with in. Can contain up to 50 values.
+- userPrincipalId: the list of the allowed user object IDs can be exempt in the request. This can be associated with an individual user, an MSI, or a service principal. 
+- groupPrincipalId: the list of the allowed security group IDs can be exempt in the request. A resource selector can contain multiple selectors. To be applicable to a resource selector, a resource must meet requirements specified by all its selectors. Further, up to 10 resourceSelectors can be specified in a single assignment. In-scope resources are evaluated when they satisfy any one of these resource selectors.
+
+
+### Identity based exemptions (preview)
+
+You can leverage selector kinds userPrincipalId and groupPrincipalId within the exemption structure to enable a specific service principal, MSI, user, or security group to bypass a policy assignment's enforcement.
+
+Take an example where you want to assign the built-in policy definition `Allowed virtual machine size SKUs` in your subscription to ensure that only A-family VMs can be deployed, with the exception of a high privileged group. You can use identity based conditions to exempt this group in your organization from this enforcement. 
+
+This is an example of an identity-based exemption:
+
+```json
+"properties": {   
+  "policyAssignmentId": "/subscriptions/<subscriptionID>/providers/Microsoft.Authorization/policyAssignments/CostMgmt",   
+  "resourceSelectors": [{    
+      "name": "AllowedGroups",   
+      "selectors": [{   
+          "kind": "groupPrincipalId",   
+          "in": [ "<HighPrivEngGroupId>" ]   
+        },      
+      ]   
+    }   
+  ],   
+  "exemptionCategory": "Waiver",   
+  "displayName": "Exempt high SKU VM",   
+  "description": "Exempt high SKU VM for business need"   
+}   
+```
 
 ## Assignment scope validation (preview)
 

articles/governance/policy/concepts/policy-for-kubernetes.md

@@ -610,6 +610,13 @@ Finally, to identify the AKS cluster version that you're using, follow the linke
 
 ### Add-on versions available per each AKS cluster version
 
+#### 1.16.0
+Introducing Validating Admission Policy (VAP) generation. [Validating Admission Policies](https://kubernetes.io/docs/reference/access-authn-authz/validating-admission-policy/) are Kubernetes-native validating policy resources that are evaluated in-process, allowing for reduced latency and fail-close evaluation. Azure Policies that contain Common Expression Language (CEL) will automatically generate VAPs. For more information, view the [Gatekeeper Documentation](https://open-policy-agent.github.io/gatekeeper/website/docs/validating-admission-policy/).
+Patch CVEs.
+- Released Apr 2026
+- Kubernetes 1.29+
+##### Gatekeeper 3.22.1-1
+
 #### 1.15.4
 Patch CVE-2025-61727
 - Released Dec 2025