Fix Microsoft Copilot Web in 2026: Clash Domain Rules and DNS Setup

What “Copilot will not open” really means in 2026

Users say “Copilot is down” when they see several unrelated failure modes. The consumer Copilot experience may live on copilot.microsoft.com and related hosts, while Microsoft 365 Copilot features in Word or Outlook may call Graph APIs, substrate services, and regional edges whose names are easy to miss in a hasty rules file. A page can show a skeleton while a blocked call to token or licensing endpoints leaves the UI idle. Clash only helps when the path your machine actually uses is the one you intended—so the first job is to separate network policy mistakes from account or tenant restrictions.

Corporate environments add another layer. Conditional Access, data residency settings, and admin toggles for generative AI can block Copilot even on a “perfect” home network. This article assumes you control the client and a legitimate policy profile; it does not promise to bypass enterprise controls or licensing. Where routing cannot help, we say so plainly so you do not spend nights editing YAML for an HR-mandated block.

Why Copilot is not the same as ChatGPT or Teams on the wire

Our ChatGPT and OpenAI API guide targets OpenAI’s origin mix: chat, platform APIs, and file flows under patterns that do not look like a typical Microsoft 365 day. Microsoft Copilot and M365 traffic interleave Entra ID (formerly Azure AD) sign-in, login.microsoftonline.com or related STS flows, and large volumes of *.microsoft.com, *.office.com, and graph.microsoft.com—plus CDN and static asset hostnames that may not say “Copilot” in the suffix. If you only proxy the pretty chat hostname and let identity fall through to an early DIRECT rule that is broken in your region, you get the exact “login spinner” experience.

Our Zoom and Teams article focuses on real-time video, UDP, and meeting edge domains. Teams does share the Microsoft identity stack with Copilot, but Copilot on the web is closer to a document-and-API workload than a sustained UDP media session. You still care about DNS consistency, yet the hot hostnames and failure signatures differ. Keep both articles in your bookmarks, but do not treat them as interchangeable templates.

When a proxy cannot fix the problem

If your organization disabled Copilot, requires a specific region, or enforces a compliant device posture, Clash rules will not create an entitlement. Similarly, a consumer license that does not include Copilot for Microsoft 365 will not “unlock” by routing through another country. Use this guide when symptoms point to split paths, DNS disagreement, or rule order—for example, the same account works on an unmetered LTE path without the proxy, but fails when the office profile is on.

Step 0: reproduce and capture what the core actually saw

Open a single Copilot session in one browser profile to reduce noise. Trigger the failure until it is stable: blank canvas, continuous loading, or a post-sign-in stall. In your Clash or Mihomo log, collect lines that show destination hostnames (or SNI), transport if listed, and which proxy group or policy won. Capture at least one full attempt from cold start through failure; Microsoft flows often contact login first, then API and CDN in quick succession. If the log is silent while the tab clearly talks to the network, you are not capturing the traffic—return to system proxy versus TUN in the next step before you add domains.

Pause other tunnel software for the test window. Two stacks fighting for the default route produce “haunted” symptoms that no static list can fix. If you recently turned on sniffing on a Meta-class core, see our page on sniffing exceptions before you blame Microsoft.

Step 1: confirm traffic reaches the policy engine

System proxy mode is convenient on desktops because browsers usually honor it. Not every helper process, embedded WebView, or Office add-in does. TUN mode increases how much traffic reaches the core, at the cost of more moving parts: DNS redispatch, IPv6, and coexistence with other virtual adapters. If your log stays empty during a clear failure, treat capture as the primary bug.

On Windows 11, some Microsoft Store and UWP surfaces ignore classic proxy settings. If your case involves those hosts, read UWP loopback and system proxy on Windows 11 alongside this page, then re-run the same Copilot test with logs. For a deeper comparison of stack choices, the TUN mode deep dive is still the right long-form reference.

Step 2: align DNS with fake-ip, redir-host, and browser DoH

Misaligned DNS is the fastest way to make thoughtful rules look “broken.” If the operating system resolves Microsoft names through a public DoH path while the core uses fake-ip mapping, you can get polished HTML, stalled JavaScript, or TLS handshakes to addresses your policy classifies differently than you expect. For the test window, aim for a single coherent resolution path through the stack you are debugging, not perfect loyalty to a specific public resolver label.

Watch for split-brain on dual-stack networks. If IPv4 and IPv6 take different policy paths, symptoms look like “sometimes loads, sometimes not.” If an OS or browser secure DNS toggle bypasses the resolver chain that your Clash profile assumes, matchers based on SNI can still work—until they do not, which is maddening. When “rules never seem to match,” align timestamps in the log with resolver traffic, then retest. For a parallel story where CDN and auth mixed awkwardly, compare OpenAI Sora, media CDNs, and Clash; the hostnames differ, but the checklist mindset is the same.

Step 3: rule order still wins—first match, not “best” match

Clash walks your rules in order. A wide GEOIP line, a large RULE-SET, or an early MATCH can send Microsoft traffic somewhere you did not mean. The opposite error is an over-broad “send everything to proxy” block above the LAN exclusions you need. The discipline that works in 2026 is unchanged: RFC1918 and loopback first, app-specific or vendor-specific matchers next, regional and final rules after.

When your subscription updates overnight, the merge order can change. Use prepend or append features in a maintained GUI, or a small local override you control, as explained in the custom rules tutorial. After any import, re-run the Copilot test and confirm the same hostnames hit the same group you expect.

Baseline host families to confirm in your logs

Treat every static list as a hypothesis. Microsoft rotates edges; clients update. The following suffix and name families appear frequently in browser sessions for Copilot and M365 and are reasonable seeds for DOMAIN and DOMAIN-SUFFIX lines—after you have seen them in your own captures during a real failure, or you have a clear reason to pre-stage them for a greenfield profile.

• Public Copilot and Bing-adjacent surfaces: copilot.microsoft.com and subdomains, plus www.bing.com or other Bing properties when the product flow still touches search or Sydney-class backends—your log lines are definitive.
• Sign-in and identity: login.microsoftonline.com, login.live.com, and related Entra STS hosts used during account selection and token exchange.
• Microsoft 365 and Office web: office.com, www.office.com, outlook.office.com, and sibling names for mail and calendaring when you open Copilot from those shells.
• Graph and REST: graph.microsoft.com and regional variants when the UI calls Microsoft Graph for content or settings.
• CDN and static assets: res.cdn.office.net and other asset domains, including third-party CDNs, may appear in parallel with product HTML—if assets fail while the title bar looks fine, widen your capture before you add exotic suffixes from forums.

YAML fragment: keep Microsoft 365 and Copilot-oriented traffic together (illustrative)

Assume a group named Microsoft (rename to match your profile). This fragment is not a full profile—merge carefully with provider templates, keep LAN rules above broad matchers, and verify every line against your own logs on your network on the day you deploy it.

# Local and loopback (tune to your LAN)
IP-CIDR,192.168.0.0/16,DIRECT
IP-CIDR,10.0.0.0/8,DIRECT
IP-CIDR,172.16.0.0/12,DIRECT
IP-CIDR,127.0.0.0/8,DIRECT

# Microsoft 365 and Copilot-oriented (verify in YOUR logs)
DOMAIN-SUFFIX,microsoft.com,Microsoft
DOMAIN-SUFFIX,microsoftonline.com,Microsoft
DOMAIN-SUFFIX,live.com,Microsoft
DOMAIN-SUFFIX,office.com,Microsoft
DOMAIN-SUFFIX,office.net,Microsoft
DOMAIN-SUFFIX,sharepoint.com,Microsoft
DOMAIN-SUFFIX,azure.com,Microsoft
DOMAIN,login.microsoftonline.com,Microsoft
DOMAIN,graph.microsoft.com,Microsoft

# Remainder: GEOIP, MATCH, etc.

Why not a tiny “Copilot only” one-liner? Because real sessions quickly touch identity and Graph alongside the chat surface. A minimal list is elegant until the first token refresh detours to an unexpected suffix. When you are confident the failure is only the marketing web shell, you can tighten—but tighten using log proof, not hope. For selector and group health patterns, the proxy groups guide still applies.

Node selection for “office AI” is about consistency, not all-day speed tests

Latency leaderboards and single-tab speed tests are poor predictors of stable sessions across Microsoft edges. A node that looks fast for a short HTTPS burst can still sit on an ASN or path that the service stack treats cautiously, or that flaps when background calls race. For troubleshooting, pin one exit through an entire test matrix, then widen to rotation after the path is proven.

If your provider names cities, prefer staying in a single metro for a session. Wild egress hopping in the middle of a token or consent flow is a reliable way to create odd mid-session states that look like product bugs. Document which exit worked; that record ages better than another mystery toggle in the GUI.

Symptom quick map (guidance, not dogma)

• Landing page loads, sign-in never finishes: check identity hostnames; confirm they share the same outbound as the first-party shell.
• Works in Edge, not in a secondary browser profile: compare DoH settings, extensions, and split tunnel extensions; profile A may bypass your resolver assumptions.
• Intermittent “please sign in again” in M365 apps: time-correlate with egress changes, subscription refreshes, or a recent rule merge that reordered your YAML.
• Quiet logs during a visible failure: revisit capture mode; the core is not in the data path for that process.
• Everything fails only on a managed laptop: consider compliance policy before you tune routing further.

Privacy, terms, and realistic expectations

Using Clash to change how your packets leave a network you legitimately control is a routing choice, not a license to ignore Microsoft terms, employer policies, or local law. If your school or company forbids split tunneling, the ethical path is to follow that rule.

Upstream GitHub repositories are useful for source and issues, but the blog’s client install guidance stays anchored to the project’s own download page so you pick a maintained GUI and stay aligned with packaging notes.

Putting it together

Microsoft Copilot in the browser, alongside M365 features that lean on the same identity and Graph layer, is a multi-hostname problem. Reliable access with Clash in 2026 is less about copying a long domain dump and more about a tight loop: reproduce with logs, align DNS with your mode, keep related Microsoft hostnames in one policy bucket ahead of wide finals, and prove matches while the failure is live. Next to that workflow, you can read our Teams-focused connectivity guide for meeting edges and our OpenAI article for a non-Microsoft model stack—then keep three separate mental models instead of one fused “AI tab” shortcut.

If you are new to Clash Meta-class clients, start with the Clash tutorial, import your subscription, then add conservative overrides. When you are ready to standardize installers, use the download page as the main entry—Download Clash for free and experience the difference.