When WSS policies are managed from the portal, there is a predefined policy option to bypass Authentication and SSL interception for Office 365 traffic. This option is not available when the policy is managed from the Management Center (UPE). The exact same policy can be manually installed on the Management Center VPM.
Install the following CPL policy onto a CPL Layer (new or existing). Make sure the CPL Layer is placed after the default SSL Intercept Layer.
(The conditions in the following rules are defined on the WSS backend policy template)
condition=O365_IPs_and_Domains condition=!BC_Elastica_Domain_Match ssl.forward_proxy(no)
condition=O365_IPs_and_Domains condition=!BC_Elastica_Domain_List_Match authenticate(no)