Some firewalls have FQDN capability (e.g., Watchguards), which makes careful rule creation practical for a behemoth like Microsoft Office 365 and all of its related services. The info below is condensed from here. I have omitted a very few items (e.g., ports 25, 465, and 993, and *.msn.com), for reasons which I hope are reasonably obvious.
Create one rule with these ports:
50000-59999, TCP and UDP
to the following list of locations, and it is done.
*.office365.com *.office.com *.office.net *.microsoftonline.com *.msocdn.com *.microsoft.com *.live.com *.onmicrosoft.com *.msedge.net *.aadrm.com *.azurerms.com *.virtualearth.net *.cloudapp.net *.visualstudio.com *.windowsazure.com *.cloudappsecurity.com *.microsoftonline-p.net *.microsoftonline-p.com *.msecnd.net *.azure.com *.msft.net *.outlook.com *.azurewebsites.net *.lync.com *.trafficmanager.net *.skype.com *.skypeforbusiness.com *.sharepoint.com *.sharepointonline.com spoprod-a.akamaihd.net *.aspnetcdn.com *.onenote.com *.onenote.net *.yammer.com *.yammerusercontent.com ajax.googleapis.com *.cloudfront.net *.edgesuite.net *.edgekey.net *.sway.com *.sway-cdn.com *.sway-extensions.com ms.tific.com *.apple.com auth.gfx.ms view.atdmt.com *.msecnd.net m.webtrends.com *.getmicrosoftkey.com