What is the point of having double negatives in Azure policy?

Question

I'm trying to make sense of Microsoft built-in policy for security center which verifies custom subscription owner role and it has following as part of condition.
What is the point of having code below? Why not just use single In condition instead of "not": "notIn"

        {
          "not": {
            "field": "Microsoft.Authorization/roleDefinitions/assignableScopes[*]",
            "notIn": [
              "[concat(subscription().id,'/')]",
              "[subscription().id]",
              "/"
            ]
          }
        }

Answer 1

The complexity around this is the [*] alias, which indicates an array of elements. A simple in comparison requires that all array elements validate true. A not and notIn combination (double negative) can be used for evaluating one or more matches (as opposed to all or none). There's a table in the docs that shows the different combinations of conditions and the scenario's they work with: https://learn.microsoft.com/azure/governance/policy/how-to/author-policies-for-arrays#evaluating-the--alias

Going forward, I would recommend using the count expression for your [*] alias use instead. count gives improved control over the none/some/all scenarios and makes other scenarios possible as well. Additionally, it can evaluate a set of properties on a single alias with different conditions. For more information and examples of count, see: https://learn.microsoft.com/azure/governance/policy/concepts/definition-structure#count