This was a question for a large university in Arizona moving faculty, staff and students to Office 365.
Here are the ports from the deployment guide (note: these are subject to change so refer here to the latest Port and IP list):
*SMTP Relay with Exchange Online requires TCP port 587 and requires TLS. See TechNet for details on how to configure SMTP Relay with Exchange Online. Note: you will need to provide the SMTP server which is specific to the mailbox used for relay. See the TechNet article Set Up Outlook 2007 for IMAP or POP Access to Your E-Mail Account.
** POP3 access with Exchange Online requires TCP port 995 ) and requires SSL. See TechNet for details on how to configure POP3 with Exchange Online.
Can I lock it down to certain IP ranges, URLs/servers?
Yes, here are the IP ranges and URLs/Servers:
Office 365 portal
Microsoft online services sign in:
Exchange Online sign in and authentication:
22.214.171.124/25 126.96.36.199/25 *.microsoftonline.com *.microsoftonline-p.com *.microsoftonline-p.net *.microsoftonlineimages.com *.microsoftonlinesupport.net
Exchange Online servers: note: only need IP ranges for your geographic region
188.8.131.52/25 184.108.40.206/25 220.127.116.11/25 18.104.22.168/25 22.214.171.124/26 126.96.36.199/25 188.8.131.52/25 184.108.40.206/25 220.127.116.11/25 18.104.22.168/25 22.214.171.124/25 126.96.36.199/25 188.8.131.52/25 184.108.40.206/25 220.127.116.11/25 18.104.22.168/28 22.214.171.124/29 126.96.36.199/29 188.8.131.52/28 184.108.40.206/28 220.127.116.11/28 18.104.22.168/28 22.214.171.124/28 126.96.36.199/29 188.8.131.52/29 184.108.40.206/28 220.127.116.11/28 18.104.22.168/28 22.214.171.124/28 126.96.36.199/29 188.8.131.52/29 184.108.40.206/28 220.127.116.11/28 18.104.22.168/28 22.214.171.124/29 126.96.36.199/29 188.8.131.52/28 184.108.40.206/28 220.127.116.11/28 18.104.22.168/25 22.214.171.124/25 126.96.36.199/26
188.8.131.52/25 184.108.40.206/25 220.127.116.11/25 18.104.22.168/25 22.214.171.124/25 126.96.36.199/25 188.8.131.52/25 184.108.40.206/25 220.127.116.11/26
18.104.22.168/25 22.214.171.124/25 126.96.36.199/25 188.8.131.52/25
Microsoft Federation Gateway – required for federated delegation and hybrid deployments
184.108.40.206/25 220.127.116.11/24 *.microsoftonline-p.com *.live.com *.microsoftonline.com *.microsoftonlinesupport.net
FOPE URLs and IP addresses
Lync Online URLs and Servers
Lync Online URLs
<p>What does the * next to the ports mean? Bidirectional?</p>
<p>Im guessing that it just is a wild card for those dns namespaces..</p>
<p>The * next to the ports is for a footnote listed below the ports. SMTP relay info and POP3 info.</p>
<p>so are there additional ip addresses for Exchange Online Powershell.</p>
<p>Sorry if the answer is already on the page staring at me, but I'm just not 100% which of these ranges applies to my scenario...</p>
<p>I'm configuring Office 365 for federated security using our inhouse F5 APM SAML Service as a SAML IdP. I need to know which IP ranges to allow into our site so that Office 365 can redirect clients to our IdP for authentication, and of course the reverse for my outbound rule. Is it the range for Exchange online or Office 365 Portal? Where will these authentication requests come from? And wha ports? Just 443? Thanks in advance!</p>
<p>For our federation services using ADFS it is using TCP port 443. I don't know if F5 APM SAML is tested or supported with Office 365. See here for a list of tested 3rd party STS/IdPs: <a rel="nofollow" target="_new" href="http://technet.microsoft.com/en-us/library/jj679342.aspx">technet.microsoft.com/.../jj679342.aspx</a> and this for Shibb as an STS/IdP: <a rel="nofollow" target="_new" href="http://www.microsoft.com/en-us/download/confirmation.aspx?id=35464">www.microsoft.com/.../confirmation.aspx</a>.</p>
<p>Typically, the request for SAML tokens occurs directly to the STS (ADFS, Shibb, or other tested STS/IdPs) in some cases the token request will come from Office 365 or directly from the requesting client to the STS via 443 when request is made from off network (Internet) e.g. mobile device, Outlook, remote web or Lync, etc.</p>
<p>List of IPs:</p>
<p><a rel="nofollow" target="_new" href="http://onlinehelp.microsoft.com/en-us/office365-enterprises/hh373144.aspx">onlinehelp.microsoft.com/.../hh373144.aspx</a></p>
<p>When will Microsoft finally start to publish all thes IP lists in ONE place and up to date with IP's/ranges added BEFORE they are used in production.</p>
<p>We manage Firewalls for many customers and these customers don't like to open the Internet for all ports required for all Office365 services.</p>
<p>It would be useful for anyone supporting these solutions if there would be a mailinglist you could subscribe to that would tell you when a new IP block is taken to production. </p>
<p>WPAD.DAT or Proxy.pac zfiles need to be updated, to allow access while bypassing proxies.</p>