Setting cookies involves you telling all your visitors that you're tracking them. How would the server-side tracking be detected?

Fingerprinting still requires a lot of client-side information. Sending that to the server for no good reason may prompt some questions.

I expect Microsoft would still disclose it in their privacy policy. Or be vulnerable to a whistleblower.

It's not "tracking" it's just ensuring a "consistent user experience throughout our ecosystem".

/sarc

The tracking they were fined for was for ad fraud detection, not personalization.

Fair enough... didn't know, since I'm in the US and don't deal with EU on a business level.

Not clear in this case, since while detecting ad fraud doesn't meet the "strictly necessary" requirements of ePrivacy (necessary for storing the cookie on your machine) it is still an open question whether the GDPR requires user consent for it. (Lawyers at advertising companies think that you don't, but that doesn't mean they're right)

It is but it's a hell of a lot harder to prove.