Tenant restrictions was configured on the Cloud SWG (formerly known as WSS) tenant as documented (How to implement Microsoft Azure AD Tenant Restriction on WSS (previously known as Office 365 tenant restriction).

However, login.live.com is blocked intermittently.

The same user can access this URL or see it is blocked after few attempts of reaching it.

WSS Agent

Bypass list contained domains associated with login.live.com. As of July 2022, these domains are present in Subject Alternative Name list of login.live.com certificate were:

*.logincert.windows-ppe.net	clientconfig.microsoftonline-p.net	loginnet.passport-int.com
*.microsoftaik-int.azure-int.net	companymanager.ccsctp.com	microsoftaik-int.azure-int.net
*.microsoftaik.azure.net	companymanager.microsoftonline.com	microsoftaik.azure.net
*.pt.aadg.msidentity.com	cpim.windows.net	msnia.login.live-int.com
*.r.login.microsoft.com	device.login.microsoftonline.com	msnialogin.passport-int.com
*.r.login.microsoftonline.com	device.login.windows-ppe.net	nexus.microsoftonline-p-int.com
*.r.prd.aadg.msidentity.com	directoryproxy.ppe.windows.net	nexus.microsoftonline-p.com
*.windows-ppe.net	directoryproxy.windows.net	nexus.passport-int.com
aadcdn.privatelink.msidentity.com	gatewayforking.windows.net	pas.windows-ppe.net
aadcdnimages.privatelink.msidentity.com	graph.ppe.windows.net	pas.windows.net
aadg.windows.net	graphstore.windows.net	password.ccsctp.com
aadgcdn.windows-int.net	ipv6.login.live-int.com	passwordreset.activedirectory.windowsazure.us
aadgcdn.windows.net	login-us.microsoftonline.com	passwordreset.microsoftonline.com
aadgv6.ppe.windows.net	login.live-int.com	ppe.aadcdn.privatelink.msidentity.com
aadgv6.windows.net	login.live.com	provisioning.microsoftonline.com
accesscontrol.aadtst3.windows-int.net	login.microsoft-ppe.com	signup.live-int.com
account.live-int.com	login.microsoft.com	signup.live.com
account.live.com	login.microsoftonline-int.com	sts.windows.net
api.login.live-int.com	login.microsoftonline-p.com	tools.login.live-int.com
api.login.microsoftonline.com	login.microsoftonline-pst.com	xml.login.live-int.com
api.password.ccsctp.com	login.microsoftonline.com	xml.login.live.com
api.passwordreset.microsoftonline.com	login.passport-int.com
autologon.microsoftazuread-sso.com	login.windows.net
becws.ccsctp.com	logincert.microsoftonline-int.com
clientconfig.microsoftonline-p-int.net	logincert.microsoftonline.com

In this particular case, login.live.com was resolved to some IP ranges belonging to login.microsoftonline.com which was bypassed by customer.

Removing login.microsoftonline.com from the bypass list resolved the issue and login.live.com was consistently blocked from then on.