From 237ff8599f93dc62374b7e13c55f959f08def4c1 Mon Sep 17 00:00:00 2001
From: Matthew Bates <matthew.bates@connexta.com>
Date: Thu, 17 Oct 2024 17:08:45 -0700
Subject: [PATCH 1/2] Update PrivlegedRoleAssignedOutsidePIM.yaml

Added support for GCC-High / Azure Government
---
 .../Analytic Rules/PrivlegedRoleAssignedOutsidePIM.yaml         | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Solutions/Microsoft Entra ID/Analytic Rules/PrivlegedRoleAssignedOutsidePIM.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/PrivlegedRoleAssignedOutsidePIM.yaml
index 9587223e6fb..c00cc9ad800 100644
--- a/Solutions/Microsoft Entra ID/Analytic Rules/PrivlegedRoleAssignedOutsidePIM.yaml	
+++ b/Solutions/Microsoft Entra ID/Analytic Rules/PrivlegedRoleAssignedOutsidePIM.yaml	
@@ -23,7 +23,7 @@ query: |
   AuditLogs
   | where Category =~ "RoleManagement"
   | where OperationName has "Add member to role outside of PIM"
-          or (LoggedByService =~ "Core Directory" and OperationName =~ "Add member to role" and Identity != "MS-PIM")
+          or (LoggedByService =~ "Core Directory" and OperationName =~ "Add member to role" and Identity != "MS-PIM" and Identity != "MS-PIM-Fairfax")
   | mv-apply TargetResource = TargetResources on 
     (
         where TargetResource.type =~ "User"

From 556d73befae0ab964744c64782e0c0fab37f16e1 Mon Sep 17 00:00:00 2001
From: Matthew Bates <matthew.bates@connexta.com>
Date: Thu, 17 Oct 2024 17:11:33 -0700
Subject: [PATCH 2/2] Updated PrivlegedRoleAssignedOutsidePIM.yaml version
 string

---
 .../Analytic Rules/PrivlegedRoleAssignedOutsidePIM.yaml         | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Solutions/Microsoft Entra ID/Analytic Rules/PrivlegedRoleAssignedOutsidePIM.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/PrivlegedRoleAssignedOutsidePIM.yaml
index c00cc9ad800..6da74007dd1 100644
--- a/Solutions/Microsoft Entra ID/Analytic Rules/PrivlegedRoleAssignedOutsidePIM.yaml	
+++ b/Solutions/Microsoft Entra ID/Analytic Rules/PrivlegedRoleAssignedOutsidePIM.yaml	
@@ -65,5 +65,5 @@ entityMappings:
     fieldMappings:
       - identifier: Address
         columnName: InitiatingIpAddress
-version: 1.0.5
+version: 1.0.6
 kind: Scheduled