Microsoft
Microsoftukazim I'm no longer on the Office team at Microsoft but I do know there was a message center post at the start of COVID (I don't have the specific reference available) which directed customers in your situation to contact your Microsoft Account Manager (TAM or CSAM) and open a support ticket as a workaround does exist, not public. (Microsoft recommends split tunnel by FQDN where possible). As you stated, if IP is the only way for your customer, MS Support can share instructions to permit this as an exception. If the MS Support person isn't familiar direct them to contact me and I can point them in right direction to help you. The one caveat is the workaround only works when using default update from CDN scenario. You cannot use Configuration Manager to deliver updates for Office 365 Client and restrict updates to subset of IPs. Of course, Configuration Manager will continue to provide compliance information, just not be involved in pushing updates. In short, the answer is option #1 above + Workaround provided by MS Support. (where IPs are shared for your VPN exceptions)