Gunner,
One possible option is to use SkyATP services on the SRX, more specifically the the Office 365 ip filter feed, which is an up-to-date list of published IP addresses for Office 365 service endpoints which you can use in security policies.
To use it, you would configure the feed as a dynamic address object like below (define an address-name, here I call it "office365", that maps to the feed's specific name "ipfilter_office365")
# set security dynamic-address address-name office365 profile category IPFilter feed ipfilter_office365
Then you can match on the address "office365" in a policy like this (I was testing deny, but of course you might want to permit)
policy o365 {
match {
source-address any;
destination-address office365;
application any;
}
then {
deny;
log {
session-init;
}
}
}
You can find a little more here: https://www.juniper.net/documentation/en_US/release-independent/sky-atp/topics/concept/sky-atp-integrated-feeds.html