We are using Exchange Online Protection (EOP) from Microsoft. When performing a PCI Scan, it automatically scans the external MS servers and fails due to "UDP Source Port Pass Firewall".
I opened a ticket with MS. They have not yet provided an official response but indicated preliminary findings indicate that the "failure" is by design and does not represent any major vulnerability.
If MS won't make changes on their end then I'm not sure where to go from here. Is this really an issue that should cause compliance to fail?