Azure Policy Deploy If Not Exist Permissions

Currently we use Azure Deploy if not exist policies to enforce specific settings on various azure resources which is triggered when a resource is deployed. And in order to segregate permission we grant the permission required only to the msi linked to this policy. But we are facing the issue of when a user deploy the resource , the deploy if not exist action fails as it uses the permission of the user triggering the deployment of the resource and not the permission of the msi of the policy. Is this per the design and the suggested path? if so then we will have to modify our logic to better adjust to the situation