I get asked this from time to time where people will point to some of the Default categorized URLs at http://aka.ms/o365ip. People will tell me that their customer uses a firewall which can only be configured with IP Addresses and therefore they cannot use URLs to identify Office 365 network traffic.
Here's a brief explanation:
IP Addresses for network endpoints that are categorized as Optimize and Allow are provided, but for the worldwide commercial instance no IP Addresses are provided for network endpoints that are categorized as Default. Instead we recommend customers direct Office 365 network traffic that goes to Default categorized endpoints to their default Internet egress location.
There is usually some kind of proxy server which will review and send the request to the Internet over the organizations firewall and the firewall is configured to allow network traffic from the proxy server. Network traffic bound for Office 365 which is categorized as Default is proxy aware and is okay to manage in this way. It's the same as if a user enters a new URL into a web browser. The user doesn't have to provide the IP Address for that URL. Instead the request is sent to a proxy server.
Some of these Default categorized endpoints are hosted by Microsoft and some are third party hosted which are dependencies for Office 365 where Microsoft doesn't control the IP Addresses. Microsoft would never be able to publish all of the IP Addresses required for third party dependent services that are needed for Office 365.
You can read more about the Office 365 network endpoint categorization at http://aka.ms/pnc. If you have an environment that does not permit Internet connectivity except as defined on a firewall by IP Addresses, you may have more work here but my experience is that commercial organizations do not actually do this. They instead of restrictions based on a proxy server.