We're having an issue where we're being asked for Certificate continuously when outlook is accessing office365.   The Fortigate is configured in explicit mode, and we've setup a address group and included fqdn of office 365 and allowed it on explicit policy rule and disabled SLL inspection. 

Like below: 

edit "Clone of office365" set member 365_.microsoftonline-p.com 365_.microsoftonline.com 365_.onmicrosoft.com 365_.outlook.com 365_.public-trust.com 365_.sharepoint.com 365_.verisign.com 365_.verisign.net 365_appexsin.stb.s-msn.com 365_auth.gfx.ms 365_autodiscover 365_crl.microsoft 365_d.docs.live.net 365_evsecure-aia.verisign.com 365_evsecure-crl.verisign.com 365_evsecure-ocsp.verisign.com 365_go.microsoft.com 365_login.live.com 365_login.microsoftonline.com 365_m.webtrends.com 365_microsoft-my.sharepoint.com 365_ms.tific.com 365_msft.sts.microsoft.com 365_o15.officeredir.microsoft.com 365_odc.officeapps.live.com 365_odcsm.officeapps.live.com 365_office.microsoft.com 365_office15client.microsoft.com 365_officeimg.vo.msecnd.net 365_roaming.officeapps.live.com 365_sa.symcb.com 365_sd.symcb.com 365_smtp.office365.com 365_wer.microsoft.com outlook.office365.com outlook.office365.com.g.office365.com

set member 365_crl.microsoft 365_evsecure-ocsp.verisign.com 365_evsecure-aia.verisign.com 365_evsecure-crl.verisign.com evsecure-crl.verisign.com 365_sa.symcb.com 365_sd.symcb.com 365_office15client.microsoft.com 365_odc.officeapps.live.com 365_go.microsoft.com 365_login.microsoftonline.com 365_msft.sts.microsoft.com 365_odcsm.officeapps.live.com 365_microsoft-my.sharepoint.com 365_microsoft-my.sharepoint.com 365_ms.tific.com 365_roaming.officeapps.live.com 365_o15.officeredir.microsoft.com 365_office.microsoft.com 365_officeimg.vo.msecnd.net 365_m.webtrends.com 365_d.docs.live.net 365_login.live.com 365_auth.gfx.ms 365_wer.microsoft.com 365_appexsin.stb.s-msn.com 365_autodiscover

edit "365_crl.microsoft" set type fqdn set fqdn "crl.microsoft.com" next edit "365_evsecure-ocsp.verisign.com" set type fqdn set visibility disable set fqdn "evsecure-ocsp.verisign.com" next edit "365_evsecure-aia.verisign.com"

Allowed this on Explicit Proxy policy and removed SLL inspection, but we still get the Popup

Sunny