Just want to let all know that following the documentation did not work.
Our client followed the steps below to allow one user to access sharepoint and sharepoint only via the internet while everything is locked down.
Objects > URL Category and created a new URL Category called SharePoint Online with all the URLs required for access to SharePoint Online.
Objects > URL Filtering and created a new URL Filter. All categories turned off except SharePoint Online and content-delivery-networks. Additionally;
URL Filtering Settings > Turn on > Log Container Page Only, User-Agent, Referer and X-Forwarded-For
User Credentials Detection > Use IP User Mapping and set Valid Username Detected Log Severity to HIGH
HTTP Header Insertion > Create new called Office365
Type > Microsoft Office365 Tenant Restrictions
Headers > add Tenant ID to Value field for Restrict-Access-To-Tenants and Restrict-Access-Context
Now we create the rule in Policies
Application > any
Service/URL Category > any
Actions > URL Filtering > the name of the filter you created above.
These steps ensured me that this only have access to SharePoint online via SSO and user could not access any other material online.