Which ports to allow in VM's firewall for Azure AD

We’re setting up SonarQube as a VM in Azure and plan on using Azure AD for authentication, but as a PCI in scope asset, the firewall must have a default deny all outbound policy.

I’ve searched and can’t find any information on what IPs/ranges and which ports need to be opened to allow this to work. When there is an allow all rule, Azure AD auth works perfectly; when deny all rule is turned on, you can get to Azure AD to authenticate, but when Microsoft redirects the user back to the SonarQube service, it just sits there. I’m assuming Sonarqube needs to reach out to Azure AD for something (authorization?), but for what I’m not clear.