If you implement an allowlisting proxy, the number of required domains for M365 / Azure is something like 120 [1]. Google basically requires three, tunnel.cloudproxy.app, *.google.com and *.googleapis.com. Amazon requires *.aws.amazon.com, *.amazonaws.com, *.awsstatic.com, *.api.aws and *.aws.dev.

Microsoft has some great domain planning.

[1] https://learn.microsoft.com/en-us/microsoft-365/enterprise/u...

My point is MS uses a lot of unrelated domains that are very different from the main brand, even the one above looks dodgy (msft[.]it) From your list, microsoftonline-p[.]com is an official domain, but it looks like a typosquat. I think it's quite far from "great domain planning".

> I think it's quite far from "great domain planning".

The poster saying they have 120 of them would imply that being sarcasm

They appear to be being sarcastic. I don't think anyone would be seriously saying 120 is better than 3 or 6 domains.

Luckily Microsoft also provides a service for that: Safelinks https://learn.microsoft.com/en-us/microsoft-365/security/off...

Also a personal favorite of mine: http://microsft.com (not entirely sure if its just to prevent typosquatting or if this is actually used in some products)

I don't know whether it's a typo but https://support.microsoft.com/en-us/topic/contact-us-91f63b4... lists "EOC: criskgro@microsft.com (For CEE and MEA)" under the Microsoft Credit Services. It feels like a typo, but who knows. If they don't have anything in place to catch this type of error, it's probably a good idea to register every domain someone could accidentally type.

There's no MX record on the domain so it seems to typo

microsft.com was used specifically for telemetry to bypass web proxy blocks for *.microsoft.com put in by administrators of secure networks.

I know this because I was one of those admins trying to plug the leaks.

Windows 10 + Office uses 200+ domains just for Microsoft stuff, of which something like 120 are for telemetry.

And I imagine they add new domains with updates all the time.

At home I was trying to avoid random reboots from updates in a full proof way in a Windows VM that ran long processing tasks. I determined the only reasonable course of action was to remove all internet access. Stamping out the massive list of changing domains (and hard coded ip addresses?) would just be to much work that I know I would never keep up with.

A white list might work.

I mused that you could have a constantly updating Windows machine and monitor all of its connections, adding them to a block list on an external firewall but in addition to being complex to setup I bet it wouldn't even catch everything.

Yet people continue to defend Microsoft's telemetry practices. The OS won't let you opt out without it fighting you and they'll even fight you for blocking it on the network.

Windows is spyware.

.it ccTLD is especially bad. Almost all of the generated SEO spam links to malicious ad networks I get on search pages are usually .it domains, all written in machine english, not italian. Thanks for reminding me and discovering -site:.it works in search queries to filter it out.

Makes sense to use a different domain if everything is down because it could also effect DNS for the main domain.

I think what the OP saying is, if you have multiple random domains, how would people know which ones are legit (or not)? Say I have mixxxrosoft.com, how would you know this is one of MS' official domains?