diff --git a/rules/integrations/o365/initial_access_microsoft_365_impossible_travel_portal_logins.toml b/rules/integrations/o365/initial_access_microsoft_365_impossible_travel_portal_logins.toml
index 90a2a6af29f..2f593839be0 100644
--- a/rules/integrations/o365/initial_access_microsoft_365_impossible_travel_portal_logins.toml
+++ b/rules/integrations/o365/initial_access_microsoft_365_impossible_travel_portal_logins.toml
@@ -2,7 +2,7 @@
 creation_date = "2024/09/04"
 integration = ["o365"]
 maturity = "production"
-updated_date = "2024/09/04"
+updated_date = "2024/09/25"
 
 [rule]
 author = ["Elastic"]
@@ -36,6 +36,8 @@ event.dataset: "o365.audit"
     and event.provider: "AzureActiveDirectory"
     and event.action: "UserLoggedIn"
     and event.outcome: "success"
+    and not o365.audit.UserId: "Not Available"
+    and o365.audit.Target.Type: ("0" or "2" or "3" or "5" or "6" or "10")
 '''
 
 
diff --git a/rules/integrations/o365/initial_access_microsoft_365_portal_login_from_rare_location.toml b/rules/integrations/o365/initial_access_microsoft_365_portal_login_from_rare_location.toml
index 7f247112265..7edab168de5 100644
--- a/rules/integrations/o365/initial_access_microsoft_365_portal_login_from_rare_location.toml
+++ b/rules/integrations/o365/initial_access_microsoft_365_portal_login_from_rare_location.toml
@@ -2,7 +2,7 @@
 creation_date = "2024/09/04"
 integration = ["o365"]
 maturity = "production"
-updated_date = "2024/09/04"
+updated_date = "2024/09/25"
 
 [rule]
 author = ["Elastic"]
@@ -34,6 +34,8 @@ event.dataset: "o365.audit"
     and event.provider: "AzureActiveDirectory"
     and event.action: "UserLoggedIn"
     and event.outcome: "success"
+    and not o365.audit.UserId: "Not Available"
+    and o365.audit.Target.Type: ("0" or "2" or "3" or "5" or "6" or "10")
 '''