CanIt works with Office 365 as it does with any SMTP mail service; MX records for the domain are pointed to CanIt, and filtered mail is directed to the Office 365 server by configuring routing using Setup : Domain Routing in Canit.
One issue with Office365 is that Microsoft doesn't provide access to an Active Directory system and does not enable recipient verification by default. So you must either set up a Rules : Valid Recipients list in Canit or integrate CanIt with a separate AD/LDAP directory to allow recipient verification. Alternately in Office365 you can enable the Directory Based Edge Blocking (DBEB) feature, which is similar to the Valid Recipient list in CanIt. Instructions can be found here
However, if you have your own external AD/LDAP you can integrate this with CanIt to do recipient verification, streaming and authentication of user credentials.
Office 365 does provide a public POP3 and IMAP service which you may be able to use for authentication of users accessing the Canit webui. To use these services, please contact Microsoft for details.
Office 365 may check SPF results. For this reason, we strongly recommend enabling Sender Rewriting Scheme. In the default stream for your realm, go to Preferences : Quarantine Settings and set S-930 Enable SRS (Sender Rewriting Scheme) to Yes