I haven't specifically done this for O365, but the network tab of F12, developer tools (variations on all the major browsers) does much to reveal (and troubleshoot) Internet bloatware. If I had an active account, I'd give it a look myself.
We have addressed the same situation - education environment with potentially 30,000 O365 users.
Initially the O365 consultants indicated the O365 should not be transported via Proxy - this proved to be not the case.
We have created a Whitelist for O365 Url.Hosts ( to bypass Category/Application and Authentication in Web Gateway - recommended by Microsoft - refer https://support.content.office.net/en-us/static/O365IPAddresses.xml )
We have observed an increase in concurrent TCP connections but current MWG and Proxy fleet are accommodating at moment - in saying that I suspect that O365 usage is ever increasing.
Microsoft have indicated that upto 2,000 concurrent IP sessions via external /32 IP Address is advised, thus a NAT Pool is used to distribute external 0365 connections from the education entity - Note that the NAT Pool is managed via Load Balancer and not MWG.
Thanks for the reply NetTas! So if you don't mind my asking, how many MWG's were spec'd out for a deployment of 30,000 O365 users? Your implementation size sounds very similar to ours. We currently run (4) fully loaded 5500C appliances for our user base and they are not even working hard at the moment. But I suspect the TCP port issue will be more of a logical limitation than a physical hardware performance limitation.
Did the McAfee sizing folks make any special adjustments to their recommendation because of the O365 application or did they treat it like any other Internet access requirement basing it purely on user count or bandwidth?