Tutorial · Estimated reading 21 mins

Microsoft 365 Copilot and Clash in 2026:
Sign-in, Office 365 cloud, Graph, and OneDrive domain routing

Microsoft 365 Copilot now sits beside email, documents, and meetings—not as a separate chat tab you can proxy in isolation, but as a feature plane inside Office 365 apps that still depends on Microsoft sign-in, Microsoft Graph, substrate services, and attachment storage paths. When Word spins on “Getting things ready” or Teams drops a call right after policy refresh, the failure is often split routing: one HTTPS hop reaches your stable exit while a sibling host on another registrable suffix still rides DIRECT. This guide gives a maintainable Clash / Mihomo mental model—explicit DOMAIN-SUFFIX rows for identity, productivity APIs, Copilot orchestration, and OneDrive—without recycling the GitHub Copilot domain list, which targets a different product surface and hostname family entirely.

Microsoft 365 Copilot · Office 365 · Clash split · DOMAIN-SUFFIX · Graph · OneDrive

1 Office Copilot is not GitHub Copilot on different ports

Readers who already followed our GitHub Copilot article may be tempted to reuse its suffix bundle for anything labeled “Copilot.” That shortcut fails quickly. GitHub Copilot traffic terminates primarily on GitHub and model-gateway hosts tied to the developer workflow. Microsoft 365 Copilot inherits the Office 365 trust boundary: Entra ID (formerly Azure AD) for Microsoft sign-in, Exchange Online and SharePoint for mail and files, Teams real-time media, and Microsoft Graph as the control plane where Copilot requests are orchestrated alongside permissions you already granted to the tenant.

Mixing unrelated “AI” lists also obscures audits. Security teams ask which exit touched customer mail—not which model tag appeared in a prompt. A disciplined Clash split routing profile therefore anchors Copilot features to the same Microsoft commercial suffix families you would route for ordinary Word and Outlook work, then adds narrow rows for any extra orchestration endpoints your logs reveal after an Office update. That keeps compliance narratives simple: one coherent “Microsoft 365” policy bucket instead of a patchwork imported from inference-only articles.

Install a maintained desktop build from our download page before you tune rules. Open-source repositories remain the right place to verify licenses; they should not be the casual installer channel when curated builds already cover your platform.

2 Four planes: identity, productivity APIs, Copilot substrate, and OneDrive

Plane one—Microsoft sign-in and token exchange. Interactive login, device registration, and conditional-access challenges flow through hosts under login.microsoftonline.com, login.microsoft.com, and related Entra endpoints, with consumer overlap on live.com and microsoft.com marketing surfaces. Treat the microsoftonline.com suffix as mandatory routing coherence: if the browser completes Microsoft sign-in but the Win32 Office suite cannot renew tokens, you usually see different exits between the WebView shell and the native TLS stack—something explicit suffix coverage and consistent TUN capture fix more often than yet another inference hostname.

Plane two—Office 365 productivity and Microsoft Graph. Mail, calendar, search, and attachments lean on office.com, office365.com, sharepoint.com, and microsoft.com subdomains that front the service fabric. Graph calls for Microsoft 365 Copilot features—summaries, draft suggestions, meeting prep—still honor tenant consent and audit logs on the Graph plane rather than exposing a standalone public API key you paste into Clash. From a routing perspective, the actionable abstraction is “route the Microsoft 365 productivity family to one trusted proxy group,” then refine with per-log hostnames when telemetry shows outliers after an update ring advances.

Plane three—Copilot orchestration and Real-time collaboration. Inline suggestions in Word or loops inside Teams may hit additional substrate endpoints—often substrate.office.com-class hosts or regional edges whose names rotate. Instead of guessing every month, capture SNIs from Mihomo logs during real work: open a long document, invoke Copilot, and watch for new suffixes. Add them as DOMAIN-SUFFIX or precise DOMAIN lines rather than broad DOMAIN-KEYWORD matches that accidentally catch unrelated brands.

Plane four—OneDrive and large-object storage. Sync clients hammer HTTPS APIs and parallel chunk uploads on hosts under onedrive.com, live.com, and SharePoint-adjacent storage. If OneDrive sync rides a lossy node while Graph calls succeed, users blame “Copilot is slow” when the attachment never landed. Align the storage suffix family with the same proxy quality you chose for Graph, unless metering policies force splitting—and if you split, document the reason so help desks do not chase ghosts.

Record five minutes of real workload Sign in, open Outlook, edit a shared Word file with Copilot suggestions, and upload a small attachment. Export Mihomo logs and list distinct Microsoft-controlled suffixes before you freeze YAML.

3 DOMAIN-SUFFIX coverage you can start from in Clash

A defensible personal profile routes the following suffixes to a dedicated select group (call it PROXY_MS365): DOMAIN-SUFFIX,microsoft.com as a wide umbrella for many subdomains—accepting that you must occasionally carve exceptions if you also consume non-product static pages; DOMAIN-SUFFIX,microsoftonline.com for Entra sign-in and token endpoints; DOMAIN-SUFFIX,live.com for consumer identity overlap and some storage-plane traffic; DOMAIN-SUFFIX,office.com and DOMAIN-SUFFIX,office365.com for web shells; DOMAIN-SUFFIX,sharepoint.com for team sites; DOMAIN-SUFFIX,onedrive.com for OneDrive-labeled hosts; and DOMAIN-SUFFIX,msftauth.net or msauth.net when logs show device-registration handshakes. Replace or trim entries when your tenant uses sovereign clouds—more on that below.

Enterprise networks sometimes add Defender portal or Intune hosts that share the microsoft.com registrable domain but deserve separate policies. If compliance demands split-tunneling admin portals versus everyday productivity, duplicate narrow DOMAIN rows above the broad suffix to override without abandoning structured audits entirely.

Avoid permanent DOMAIN-KEYWORD,microsoft shortcuts: they over-catch telemetry strings and unrelated experiments. Production-grade Clash configurations prefer explicit suffix families, ordered ahead of blunt GEOIP shortcuts imported from subscription bundles.

4 Rule order, conditional access, and first-match reality

Clash evaluates rules: top-down; the first hit wins. Regional rule-sets that prepend aggressive GEOIP,CN,DIRECT rows often starve Microsoft traffic of your preferred exit even when explicit SaaS rows exist—if those rows sit too low. Move Office 365 and Entra suffix entries above imported mega-lists so browser and native clients share one egress story during token refresh and Copilot orchestration bursts.

Conditional access complicates the narrative: Microsoft sign-in might require a compliant device signal that never leaves your LAN, while document fetch must traverse the proxy. When policies demand location-based checks, indiscriminate global proxying may break login even though network latency looks fine. Validate with your identity team before declaring a routing bug; keep notes in YAML comments so future you understands why a narrower DIRECT exception exists for a specific IdP hostname.

Corporate VPN and captive portals If Windows routes certain Microsoft IPs through always-on VPN while Clash TUN also captures them, you can see intermittent 401 loops. Triage by temporarily disabling one capture layer—not by randomly reordering rules.

5 Illustrative YAML for proxy groups, DOMAIN-SUFFIX rows, and providers

The fragment below is educational. Rename groups to match your merge style, validate with your GUI linter, and host remote rule providers yourself when you cannot trust third-party CDNs for policy text.

config.yaml (snippet) 
# Example only — merge into your full profile
proxy-groups:
  - name: PROXY_MS365
    type: select
    proxies:
      - AUTO-BEST
      - DIRECT

rule-providers:
  ms365-saas:
    type: http
    behavior: classical
    url: "https://example.com/rules/ms365-saas.txt"
    path: ./ruleset/ms365-saas.yaml
    interval: 86400

rules:
  - RULE-SET,ms365-saas,PROXY_MS365
  - DOMAIN-SUFFIX,microsoftonline.com,PROXY_MS365
  - DOMAIN-SUFFIX,office.com,PROXY_MS365
  - DOMAIN-SUFFIX,office365.com,PROXY_MS365
  - DOMAIN-SUFFIX,sharepoint.com,PROXY_MS365
  - DOMAIN-SUFFIX,onedrive.com,PROXY_MS365
  - DOMAIN-SUFFIX,live.com,PROXY_MS365
  - DOMAIN-SUFFIX,microsoft.com,PROXY_MS365

Pair suffix routing with coherent DNS. FakeIP, DoH, and OS stub resolvers that disagree still produce “rule matched but TLS alert” symptoms. Our DNS leak prevention guide walks through resolver alignment that applies to heavy SaaS clients including Office, which reopens sockets aggressively after sleep or dock events.

Version-control your tenant slice Keep the Microsoft 365 block in a tiny repo beside your profile. When Office ships a new Copilot feature, diff one file instead of trusting opaque public feeds.

6 Hybrid work, sovereign clouds, and GCC environments

Not every tenant lives in the worldwide commercial partition. Government clouds (GCC / GCC High / DoD) and regional sovereign deployments use different endpoint bases; copying a generic microsoft.com bundle without verification can silently block compliance-required sign-in. Treat this article’s suffix list as a starting hypothesis, then reconcile against Microsoft’s published endpoint documentation for your specific cloud instance before you push YAML to routers that other people rely on.

Hybrid Exchange or on-premises SharePoint introduces split DNS and split HTTPS paths: internal hostnames might resolve to private RFC1918 addresses that must stay DIRECT while cloud Copilot features still need the public Microsoft edge. Log both resolver answers and Clash policy hits when users report “Copilot works in the browser but not in desktop Word”—that symptom often maps to mixed capture rather than a missing model route.

7 Desktop, browser, and mobile Office experiences

Chromium browsers usually respect system proxy settings; Win32 Office does not always honor them unless traffic is pulled into Mihomo via TUN or an equivalent transparent path. Our Clash Verge Rev TUN guide explains verification patterns that help Office and Teams align with the same policy group after reboot or fast user switching.

Mobile Outlook and Teams on iOS or Android may switch LTE and Wi-Fi mid-call, toggling IPv6 preference. If Copilot features fail only on cellular, compare SNIs between networks before blaming a distant model host. Capture whether Teams media prefers UDP while Graph remains TCP-heavy—two exits still mean two rules, not one vague “AI proxy.”

For collaboration stacks that blend Microsoft 365 Copilot with other vendors, keep each vendor’s suffix family in a separate provider file. Our Notion AI routing guide shows the same modular discipline for knowledge bases—merge DNS fundamentals everywhere, swap only the suffix slice per product.

8 DNS, TLS, and troubleshooting with Mihomo logs

Start incidents by filtering Mihomo logs for your PROXY_MS365 group. If Word opens but inline Copilot never returns, compare timestamps on Graph-like hosts versus long-lived Teams sockets—two exits usually mean two winning rules or an IPv6 leak. Rotate proxy nodes only after ordering and DNS look coherent; otherwise you chase latency ghosts while the real issue is a stale token path through DIRECT.

Certificate errors after reconnecting VPN or sleeping often mean the operating system resolver cache disagrees with Clash’s DNS pipeline. Flush both, then retry a controlled sign-in. Remember HTTP 403 from Graph typically signals policy or license issues, not packet loss—confirm Copilot entitlements and security defaults before you rewrite routing.

Finally, keep observability proportional: export short log windows, redact tenant IDs before sharing, and prefer repeatable reproduction steps (“open this shared deck, trigger summarize”) over guesswork. Stable Clash split routing accelerates triage because you can prove which suffix matched first—not just that “the AI felt slow.”

9 FAQ

  • Is microsoft.com alone enough? Often insufficient for complete sign-in—pair with microsoftonline.com and other planes your logs prove you use; trim rather than over-expand once measured.
  • Should Copilot use the same group as GitHub Copilot? Only if measurement shows identical exits and compliance allows—usually keep Office 365 traffic separate from developer-tool hosts.
  • Why does Teams video work but Word Copilot stalls? Different transports and CDNs; verify attachment and Graph paths, not only UDP media.
  • Can I stay on system proxy only? Sometimes, yet mixed native stacks frequently need TUN—test both before standardizing.

10 Wrap-up

Reliable Microsoft 365 Copilot use in 2026 depends on routing the entire Office 365 client story: Microsoft sign-in on Entra-class hosts, Graph-backed productivity calls, Copilot orchestration on Microsoft’s substrate, and OneDrive plus SharePoint storage for the files Copilot reads. Express that with Clash or Mihomo through explicit DOMAIN-SUFFIX rows ordered above blunt regional imports, optional curated rule providers for teams, and DNS settings aligned with how your OS resolves names. Compared with ChatGPT-centric or GitHub-only lists, this playbook keeps traffic inside Microsoft’s commercial boundary—so audits stay legible and your YAML stays maintainable.

Among proxy stacks, Clash’s transparent YAML and mature desktop clients suit operators who run browsers, Office, and occasional terminals on one machine. When you need installers, prefer our download hub for curated builds; cite upstream repositories for transparency, not as the default end-user installer path.

When routing stops stealing attention cycles, teams can focus on templates, retention policies, and prompts—which is what a dependable enterprise network should unlock for Office 365 users this year.

→ Download Clash for free and experience the difference

Tags: Microsoft 365 Copilot Office 365 Clash split routing DOMAIN-SUFFIX Microsoft sign-in OneDrive Mihomo 2026
Clash client logo for Microsoft 365 Copilot split routing

Clash Verge Rev

Next-gen Clash client · Free and open source

One client for system proxy, optional TUN, and readable logs—so Entra sign-in, Graph calls, Copilot orchestration, and OneDrive sync share one coherent split-routing story.

TUN full traffic takeover Mihomo high-performance core Precise rule routing DNS leak helpers Multi-subscription management
Windows macOS Linux

Related reading

Developer Copilot

GitHub Copilot: sign-in and model routing—different hostnames from Office

 Inference stack

ChatGPT / OpenAI: API and web domain split routing