Merge pull request #309439 from MicrosoftDocs/repo_sync_working_branch

Confirm merge from repo_sync_working_branch to main to sync with https://github.com/MicrosoftDocs/azure-docs (branch main)

Author: Taojunshen

articles/governance/policy/concepts/definition-structure-policy-rule.md

@@ -82,6 +82,8 @@ A condition evaluates whether a value meets certain criteria. The supported cond
 
 For `less`, `lessOrEquals`, `greater`, and `greaterOrEquals`, if the property type doesn't match the condition type, an error is thrown. String comparisons are made using `InvariantCultureIgnoreCase`.
 
+When using the `contains` and `notContains` conditions, the wildcard character (`*`) cannot be provided in the value.
+
 When using the `like` and `notLike` conditions, you provide a wildcard character (`*`) in the value. The value shouldn't have more than one wildcard character.
 
 When using the `match` and `notMatch` conditions, provide a hashtag (`#`) to match a digit, question mark (`?`) for a letter, and a dot  (`.`) to match any character, and any other character to match that actual character. While `match` and `notMatch` are case-sensitive, all other conditions that evaluate a `stringValue` are case-insensitive. Case-insensitive alternatives are available in `matchInsensitively` and `notMatchInsensitively`.

articles/governance/policy/how-to/remediate-resources.md

@@ -12,7 +12,7 @@ Resources that are non-compliant to policies with `deployIfNotExists` or `modify
 
 ## How remediation access control works
 
-When Azure Policy starts a template deployment when evaluating `deployIfNotExists` policies or modifies a resource when evaluating `modify` policies, it does so using a [managed identity](/entra/identity/managed-identities-azure-resources/overview) associated with the policy assignment. Note that while the assignment's identity is used for resource deployment or modification, it is not used for evaluation of the policy definition and its existence condition. Policy evalutation uses the identity of the caller that initiated the API request.
+When Azure Policy starts a template deployment when evaluating `deployIfNotExists` policies or modifies a resource when evaluating `modify` policies, it does so using a [managed identity](/entra/identity/managed-identities-azure-resources/overview) associated with the policy assignment. Note that while the assignment's identity is used for resource deployment or modification, it is not used for evaluation of the policy definition and its existence condition. Policy evaluation uses the identity of the caller that initiated the API request.
 
 Policy assignments use managed identities for Azure resource authorization during remediation. You can use either a system-assigned managed identity created by the policy service or a user-assigned identity provided by the user. The managed identity needs to be assigned the minimum Azure role-based access control (Azure RBAC) role required to remediate resources. If the managed identity is missing roles, an error is displayed in the portal during the assignment of the policy or an initiative. When you use the portal, Azure Policy automatically grants the managed identity the listed roles once assignment starts. When you use an Azure software development kit (SDK), the roles must manually be granted to the managed identity. The _location_ of the managed identity doesn't affect its operation with Azure Policy.