During a pilot migration from Lync 2013 to Skype for Business Online (Office 365), the following warning popped up:
Why does Lync 2013 not trust its own company? 🙂
Appearantly we had configured a group policy a long time ago, which was set to only trust our own company name. I.e. contoso.com.
Once you Enabled this policy, all Microsoft certificates will be untrusted automatically.
So in this case I had to append all Microsoft domain names to the policy to trust them too. The policy is also referred to as  TrustModelData, and can be found in:
Path: User Configuration/Administrative Templates/Skype for Business 2016/Micrsoft Lync Feature Policies/
Policy: Trusted Domain List
Setting: Enabled
Trust Domains (comma seperated list): contoso.com
Obviously you need the Skype for Business 2016 / Office 365 administrative templates to apply aboves settings. 🙂 Simular settings also exist for Lync 2010 and Lync 2013. Then the location for the policy is like this:
User Configuration/Policies/Administrative Templates/Microsoft Lync 2013/Microsoft Lync Feature/Trusted Domains List