Block Outlook.com but not affect O365

Question

Hey guys, 
 I want to block personal email sites and I have web policies in place for that working fine on things like hotmail.com etc 
 
 I want to also block the personal Outlook.live.com sites but I am worried blocking *.live.com may affect Office 365 which we use on site. 
 Anyone blocking the personal Outlook site and what did you do to make it happen. I am trialling blocking access to "outlook.live.com" to limit the damage :-) 
 
 Any suggestions?

KingChris · Accepted Answer

Hi M8ey 
 Unfortunately this may be a hit and miss rule to create. 
 Microsoft does a lot of lookups to live.com and outlook.com. However I have seen that for clients on Office365, it appears that the URLs all end with office365.com. 
 As stated above, this will be trial and error. 
 You could create a rule at the very top and have Microsoft's IPs/FQDNs for Office365 and allow the traffic. Then create a second rule below that, that then blocks traffic to web email categories. 
 To ensure you dont affect your entire user base, you can add source IPs for testing purposes before rolling it out to everyone. 
 This KBA will help: https://community.sophos.com/kb/en-us/127270 and this 1: https://community.sophos.com/kb/en-us/126532 
 Here is a Microsoft KB article that details all the FQDNs and IPs. However I do see a FQDN for outlook.com. - https://docs.microsoft.com/en-us/office365/enterprise/urls-and-ip-address-ranges 
 Thanks!