I was still seeing things on my exact whitelist fail nslookup with pi-hole enabled and not with pi-hole disabled and not when using a browser. And I think I may have gotten closer to finding out why.
nslookup main.iam.ad.ext.azure.com
Server: pi.hole
Address: 192.168.10.10
Name: main.iam.ad.ext.azure.com.[note nslookup adds a FQDN]
Addresses: ::
0.0.0.0
nslookup main.iam.ad.ext.azure.com
Server: pi.hole
Address: 192.168.10.10
Non-authoritative answer:
Name: www.tm.f.prd.aadg.akadns.net
Addresses: 40.126.23.6
40.126.23.8
20.190.151.71
40.126.23.9
20.190.151.136
20.190.151.72
20.190.151.135
Aliases: main.iam.ad.ext.azure.com
na.privatelink.msidentity.com
prdf.aadg.msidentity.com
I'm thinking since it oddly adds a FQDN in nslookup, it fails the exact whitelist and hits on the regex blacklist for a fail result in pi-hole, and the browser doesn't "helpfully" add the FQDN, so it passes. As noted below, is confirmed to be a nslookup issue, not a pi-hole issue.