Sites blocking is never going to work. At some point user will start using VPN provider and there is no way to block it (e.g. NordVPN can use 443 over TCP as well as obfuscated traffic).
Microsoft gear (and Android one as well) is checking internet availability by sending DNS queries and checking the response. So if these DNS queries do not get responded, it concludes internet is not accessible and doesn’t even try to connect to the actual servers.
Also those networks published by Microsoft are not complete and uptodate all the time.
I tried to fill an address list with “Microsoft addresses” to use in an outbound firewall but it is a continuous task where the drop rule is logging and you need to examine the dropped traffic weekly, do whois lookups of suspect addresses, and add them to the address list when they are Microsoft.
They should provide some well defined downloadable file that is automatically updated, instead of an online document with formatting.
Well, there are two things: the client can get a DNS server (actually resolver) where it can lookup outlook.com, this can be the MikroTik router itself when it is configured to forward those DNS requests to next level resolvers (e.g. at the ISP, or 1.1.1.1 or 8.8.8.8 for example). No need to allow any Microsoft addresses for that.
However, some software thinks it is “smart” by sending some packets to specific external addresses (in this case some DNS server maintained by Microsoft) irrespective of the settings on the system itself (done via DHCP or static).
This is sometimes part of a scheme to detect if there is a “wifi logon portal” (e.g. “hotspot”) in the way that needs to be shown to the user to enter their credentials before the connection to the internet server can be made.
Such mechanisms often allow extra firewall rules so they work correctly, in this case maybe allow DNS forward which would normally be unnecessary and maybe even unwanted.