@testuser7 Before Modify effect was introduced, append effect is used for adding properties that came as a request into arm. When a policy definition using the Append or Modify effect is run as part of an evaluation cycle, it doesn't make changes to resources that already exist. Instead, it marks any resource that meets the if condition as non-compliant. So, Append or Modify effect, both are evaluated before the request gets processed by a Resource Provider during the creation or updating of a resource. This does not require Managed Identity as the request gets automatically processed during creation or updating of a resource.
However, modify effect type need the ability to deploy resources and edit tags on existing resources respectively. So, it requires managed identity to do so.