MS Office release older than MS Office 2016

SAML authentication into WSS (or Captive Portal authentication)

Browser user authenticated on does not share session information with MS Office applications trying to access the same URL.  

1. If your Office 365 Application suite support it, enable ADAL (modern authentication) so that the session information can be shared with the browsers - https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/enable-or-disable-modern-authentication-in-exchange-online includes more details on this feature.

2. Create a custom policy allowing traffic from the MS Office applications through without being blocked. If you have UPE/Management Center managing the WSS environment, you can add the following logic to

Source: User agent - Microsoft Office Word 2014 or Mozilla/4.0 (compatible; ms-office)"
Destination: Any
Action: Bypass auth and allow

CPL code would like as follows:

<proxy>
condition=SAML_suppressed_MSWord_UserAgent condition=MSWord_bypassAuth_Category authenticate(no) ALLOW

define condition SAML_suppressed_MSWord_UserAgent
    request.header.User-Agent.substring="Microsoft Office Word 2014"
    request.header.User-Agent.substring="ms-office"
end condition SAML_suppressed_MSWord_UserAgent

define condition MSWord_bypassAuth_Category
url.category=("Alcohol","Entertainment","For Kids","Remote Access Tools","Games","Humor/Jokes","Art/Culture","Sports/Recreation","Radio/Audio Streams","TV/Video Streams","Audio/Video Clips","Software Downloads","Media Sharing","File Storage/Sharing","Religion","Government/Legal","Alternative/Spiritual Belief","Military","Political/Social Advocacy","Society/Daily Living","Charitable Organization","Gambling","Controlled Substances","Education","News/Media","Translation","Search Engines/Portals","References","Technology/Internet","Computer/Information Security","Office/Business Application","Internet Connected Devices","Content Servers","WebAds/Analytics","Vehicles","Business/Economy","Travel","Job Search/Careers","Brokerage/Tradings","Shopping","Financial Services","Real Estate","Auctions","E-Card/Invitations","Personals/Datings","Social Networking","Personal Sites","Newsgroups/Forums","Internet Telephony","Email","Chat(IM)/SMS","Online Meetings","Health","Restaurant/Dining/Food","Tobacco")
end condition OutlookClient_bypassAuth_Category
#endif

HTTP logs outline the requests sent when the user experiences issues. In the example below, you can see that there is no user information in the logged entry, despite users having authenticated from the browser.

12345 2021-02-25 18:21:59 "DP4-GUSAS1_proxysg3" 8 203.0.113.1 - - policy_denied DENIED "Technology/Internet" - 403 TCP_DENIED HEAD text/html https www.example.com 443 / - - "Microsoft Office Word 2014" 192.168.4.86 186 264 - - - - 464583 "Example_location" explicit_proxy "-" "-" 203.0.113.1 "United States" CERT_VALID none - none TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 128 www.example.org "Technology/Internet" TLSv1.2 AES256-GCM-SHA384 256 - ICAP_NOT_SCANNED - ICAP_NOT_SCANNED - 203.0.113.1 "United States" - "Ambiguous - Special Use" 5 5 - - - - - - - - - SSL_Intercept_1 - - - - 2001:db8:ffff:ffff:: xxxxx-xxxxx-xxxxx-xxxxx

12345 2021-02-25 18:22:02 "DP4-GUSAS1_proxysg3" 8 203.0.113.1 - - policy_denied DENIED "Technology/Internet" - 403 TCP_DENIED GET text/html https www.example.com 443 / - - "Mozilla/4.0 (compatible; ms-office)" 192.168.4.86 16028 195 - - - - 464583 "Example_location" explicit_proxy "-" "-" 203.0.113.14 "United States" CERT_VALID none - none TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 128 www.example.org "Technology/Internet" TLSv1.2 AES256-GCM-SHA384 256 - ICAP_NOT_SCANNED - ICAP_NOT_SCANNED - 203.0.113.1 "United States" - "Ambiguous - Special Use" 5 5 - - - - - - - - - SSL_Intercept_1 - - - - 2001:db8:ffff:ffff:: xxxxx-xxxxx-xxxxx-xxxxx