Darren,
Hope you are doing well. My first guess would be that the updateable objects for Microsoft/Office don't include the involved wildcards / FQDN according to sk163595: HTTPS Inspection bypass list object
*.broadcast.skype.com
*shared.officeapps.live.com
Have you tried to create a specific custom application object containing those entries? Then add them to the TLS Inspection policy + bypass.
In previous version you could enable Probe Bypass so the bypass action doesn't inspect even the first packet of the TLS handshake.
However in later version probe bypass was discontinued. I have to perform more research on R80.40 but so far the best way that I found to complete bypass traffic is to not even include those hosts / networks on the SSL/TLS policy.
This approach is difficult to implement on large scale environments and of course it will disable TLS inspection completed on those hosts.
More information here: Outbound SSL Inspection: A war story
____________
https://www.linkedin.com/in/federicomeiners/