We are having some issues with Skype for Business where people can't authenticate or are continuously getting prompts to authenticate. I've already whitelisted everything required by Microsoft (You can see them at Office 365 URLs and IP address ranges - Office 365 )
My question is, we typically whitelist by either *.domain.com or *domain.com. We have found in our environment that the MWGs react differently based on where you put the *, and having *domain.com does not whitelist something like asdf.domain.com, it only whitelists anything that has domain.com as the ending without anything in front of it. For example, *microsoft.com does not whitelist asdf.microsoft.com, it only whitelists anything like asdfmicrosoft.com.
This makes me wonder if *.domain.com includes everything in front or do I need to put *.*.domain.com if necessary? For example, I've whitelisted *.microsoftonline.com but in cases where an address is something like api.login.microsoftonline.com, do I need to use *.*.microsoftonline.com as a whitelist entry? Hopefully I made this question understandable but please let me know if you need clarification. Thank you.
I wrote this best practice to help understand how to whitelist URLs:
Short answer though, it depends on the property. If using URL.Host, *domain.com WOULD whitelist any subdomains (asdf.domain.com) AND any domains matching the wild card entry (asdfdomain.com). There are other properties like URL.Host.BelongsToDomain and URL.SmartMatch which simplify the whitelisting process.