This repository lists all active Microsoft root domains, no URLs and no sub-domains, for the purpose of Whitelisting in various systems and apps.
This repository can facilitate the implementation of strict host-based firewall rules, for example, in a corporate environment.
It can be used to apply aggressive adblocking capabilities to your network, for example, by using NextDNS, and then use the list in this repository to apply Whitelisting.
The reason sub-domains and URLs aren't being used is that for Whitelisting we use root domain with wildcard *.
For example, [*.]microsoft.com or [*]microsoft.com (depending of the format your service/app supports) will allow all sub-domains and URLs under microsoft.com. This is the most efficient and maintainable way to Whitelist these trustworthy domains.
- Navigate to the following settings page in Edge browser:
edge://settings/content/cookies - Under
Clear on exitsection, enter the following items:http://*andhttps://* - Under the
Allowsection, start adding the Microsoft domains from this repository, using this format[*.]Microsoft.com - Now every time you close your Edge browser, the cookies of the websites that are not in the Allow list will be removed. This can effectively increase your security and privacy on the web, without breaking websites functionalities.
- You can optionally add any other website's domain that you don't want to log out of every time you close your browser to the list.
- All of these settings are synced so you only have to do these once.
This PowerShell script allows you to automatically add the Microsoft domains from this repository to the allowlist of your NextDNS profile using the API. To use this script, you need to first edit it by entering your NextDNS API key and your profile ID in it and then run it in PowerShell.
NextDNS supports Server-sent events (or SSE), we can use it to view live stream of the logs in PowerShell, they are in JSON format.
In this directory you will find the PowerShell scripts. Use the Stream the logs - Customized Output for Microsoft.ps1 script to automatically:
- Detect Microsoft root domains using common patterns (You can apply any other patterns for different purposes)
- Store unique Microsoft domains that were blocked in a separate list
- Store unique Microsoft domains that were not in the whitelist file in a separate list
- Store unique Non-Microsoft domains in a separate list
- Store unique Non-Microsoft domains with the number of times they were visited in a separate list
- Display Allowed and Blocked domains on the console
Includes the Microsoft domains that are verified to be working and owned by Microsoft or their subsidiaries.
I use this Azure service to directly query the ISG (Intelligent Security Graph) to get the domains of Microsoft's subsidiaries. They are not manually verified by me like the general list.
They were gathered from this source and are valid Microsoft owned domains but kept in a separate list because they are used for training purposes.
The GitHub action runs every time there is a push in this repository, it makes sure:
- There are no empty lines in the lists
- There are no entries in the lists that start with
xn-- - The lists have no duplicate entires
- The
Microsoft Domains - EASM.txtdoes not include any domain that already exists inMicrosoft Domains.txt - There are no entries with non-alphanumeric characters
- https://learn.microsoft.com/en-us/power-platform/admin/online-requirements
- https://learn.microsoft.com/en-us/microsoft-365/enterprise/urls-and-ip-address-ranges
- https://learn.microsoft.com/en-us/azure/security/fundamentals/azure-domains
- https://learn.microsoft.com/en-us/mem/intune/fundamentals/intune-endpoints
Please feel free to contribute to this repository by creating a pull request for PowerShell scripts or domains.
Help is needed to validate and verify the WhoIs information of each domain in the Defender External Attack Surface Management (EASM) list and add them to the General List.
If you're adding a domain, make sure the WhoIs information is not private for it and explicitly states that it's either owned by Microsoft or one of Microsoft's Subsidiaries. You can also view the assigned name servers to the domain to make sure it's owned by Microsoft. For example if they point to the Azure name servers.
