All of the first-party connections seem to have proper DNS names, even on CDN (microsoft.com, microsoft.com.akadns.net). The ad networks are obvious third party that could be dropped. I mean, there could be more stuff I didn't see, but from the screenshots, dns blackholing seems viable.
DNS blackholing is playing whack-a-mole. I can blackhole scontent.xx.fbcdn.net today, and I have no assurance or confidence that they won't use scontent.xx.fbcdn2.net tomorrow.
DNS/FW whitelist is the only way to have even a little confidence that egress is controlled at this point.
