Thanks for asking question! The other ports are not serving the customer site at all, they are just hosted on the same IP address (you can see that certificates returned for those are not even matching the site hostname in the first place) and are not destination for any browsers anyway.
To elaborate 454, 455 ports are used for internal communication in Azure Websites infrastructure and not something we disclose publicly. Port 8172 is the original WebDeploy port (used by publishing from Visual Studio, WebMatric, etc.) It requires auth and runs over HTTPS. Auth with site credentials is required to get through it. Not sure if the tool requires implicit encryption.
So, the scanner for the customer site should be scoped only to 80/443 as that is truly their site.
Please send an email to AzCommunity[at]Microsoft[dot]com if you have further question regarding this matter.