As part of my security measures, I don’t enable cookies by default for all sites. I enable them per-site, on an as-needed basis. So my whitelist is very large, but I think it helps more than it hinders.
So modern web applications depends on lots and lots of cookies. The office.com applications depend on a large set of domains. Here is what I have learned so far:
adfs.example.com (my company's ADFS page)