In Azure, we have multiple subscriptions and with every subscription, we add some kind of instance ID. We can work with the instance ID so that we allow all of the instances containing nodules. Everything else, we block. This way, if you go to outlook.com and check your email, if you log in with your company account, the instance ID will show. The network will take action according to the instance ID and say, "You are using the enterprise email. I'll let you surf. I'll let you see your email." But when you try to log in with your own email address, like Hotmail or Gmail, the instance ID will be different.
This way we are not completely blocking Outlook, but we are blocking people from accessing their Outlook. We are only allowing the enterprise-level emails, and we are not allowing user-based emails.