[saurik]

(This is in no way a complete of even precise answer, but is maybe still helpful.) One big issue is how cookies can be configured by subdomains to affect other subdomains, causing you to sometimes need full domain names to create security boundaries.

[ts4z]

This is exactly right. Different parts of the business have different security scopes, and different domains are the easiest way to keep things separate: make the browser help keep data separate, and not share things across the organization.

This can also reduce cookie size, which adds up.

[mc32]

This all sounds reasonable but Google doesn’t use this strategy and it looks cleaner for the end user. So why can’t O365 do similar?

[kerng]

Not everyone equally applies security concepts and isolation the same way. Google is probably less concerned around certain web attacks compared to Microsoft. Microsoft isolates their corporation from customer things, which is good I'd say.

[repolfx]

Google does use it:

googleusercontent.com

gstatic.com

etc