I had this question twice in one day, so thought I would post this.
Is it possible to restrict access to Office 365 from just internal devices or client types? Yes.
Full details here: http://technet.microsoft.com/en-us/library/dn592182.aspx
Client access policy works by identifying which authentication requests should be permitted based upon attributes of the request itself. To provide this additional request context information, AD FS populates claim values from the client request information such as the connection IP address, the AD FS endpoint, and HTTP headers sent by the client.
|Block all external access to Office 365||Office 365 access is allowed from all clients on the internal corporate network, but requests from external clients are denied based on the IP address of the external client.|
|Block all external access to Office 365, except Exchange ActiveSync||Office 365 access is allowed from all clients on the internal corporate network, as well as from any external client devices, such as smart phones, that make use of Exchange ActiveSync. All other external clients, such as those using Outlook, are blocked.|
|Block all external access to Office 365, except for browser-based applications such as Outlook Web Access or SharePoint Online||Blocks external access to Office 365, except for passive (browser-based) applications such as Outlook Web Access or SharePoint Online|
|Block all external access to Office 365 for members of designated Active Directory groups||This scenario is used for testing and validating client access policy deployment. It blocks external access to Office 365 only for members of one or more Active Directory group. It can also be used to provide external access only to members of a group.|