Skip to content

Latest commit

 

History

History
104 lines (62 loc) · 6.01 KB

README.md

File metadata and controls

104 lines (62 loc) · 6.01 KB

Microsoft Domains

This repository lists all active Microsoft root domains, no URLs and no sub-domains, for the purpose of Whitelisting in various systems and apps.

This repository can facilitate the implementation of strict host-based firewall rules, for example, in a corporate environment.

It can be used to apply aggressive adblocking capabilities to your network, for example, by using NextDNS, and then use the list in this repository to apply Whitelisting.

The reason sub-domains and URLs aren't being used is that for Whitelisting we use root domain with wildcard *.

For example, [*.]microsoft.com or [*]microsoft.com (depending of the format your service/app supports) will allow all sub-domains and URLs under microsoft.com. This is the most efficient and maintainable way to Whitelist these trustworthy domains.


How to Whitelist Microsoft Domains in Ublock Origin

How to Whitelist Microsoft Domains in Ublock Origin


How to Whitelist Microsoft Domains in Microsoft Edge Browser

  1. Navigate to the following settings page in Edge browser: edge://settings/content/cookies
  2. Under Clear on exit section, enter the following items: http://* and https://*
  3. Under the Allow section, start adding the Microsoft domains from this repository, using this format [*.]Microsoft.com
  4. Now every time you close your Edge browser, the cookies of the websites that are not in the Allow list will be removed. This can effectively increase your security and privacy on the web, without breaking websites functionalities.
  5. You can optionally add any other website's domain that you don't want to log out of every time you close your browser to the list.
  6. All of these settings are synced so you only have to do these once.

How to Whitelist Microsoft Domains in NextDNS

This PowerShell script allows you to automatically add the Microsoft domains from this repository to the allowlist of your NextDNS profile using the API. To use this script, you need to first edit it by entering your NextDNS API key and your profile ID in it and then run it in PowerShell.


How to use NextDNS API in PowerShell for Live Logs

NextDNS supports Server-sent events (or SSE), we can use it to view live stream of the logs in PowerShell, they are in JSON format.

In this directory you will find the PowerShell scripts. Use the Stream the logs - Customized Output for Microsoft.ps1 script to automatically:

  1. Detect Microsoft root domains using common patterns (You can apply any other patterns for different purposes)
  2. Store unique Microsoft domains that were blocked in a separate list
  3. Store unique Microsoft domains that were not in the whitelist file in a separate list
  4. Store unique Non-Microsoft domains in a separate list
  5. Store unique Non-Microsoft domains with the number of times they were visited in a separate list
  6. Display Allowed and Blocked domains on the console

About The Lists

Includes the Microsoft domains that are verified to be working and owned by Microsoft or their subsidiaries.

I use this Azure service to directly query the ISG (Intelligent Security Graph) to get the domains of Microsoft's subsidiaries. They are not manually verified by me like the general list.

They were gathered from this source and are valid Microsoft owned domains but kept in a separate list because they are used for training purposes.


Automated GitHub Workflow

The GitHub action runs every time there is a push in this repository, it makes sure:

  • There are no empty lines in the lists
  • There are no entries in the lists that start with xn--
  • The lists have no duplicate entires
  • The Microsoft Domains - EASM.txt does not include any domain that already exists in Microsoft Domains.txt
  • There are no entries with non-alphanumeric characters

Some of the Sources


Contributing

Please feel free to contribute to this repository by creating a pull request for PowerShell scripts or domains.

Help With Validation

Help is needed to validate and verify the WhoIs information of each domain in the Defender External Attack Surface Management (EASM) list and add them to the General List.

Note

If you're adding a domain, make sure the WhoIs information is not private for it and explicitly states that it's either owned by Microsoft or one of Microsoft's Subsidiaries. You can also view the assigned name servers to the domain to make sure it's owned by Microsoft. For example if they point to the Azure name servers.

Thank You Gif