...
Now that the Remote Desktop Gateway is configured, we only need to leave port 443 open (HTTPS) and port 80 (HTTP). The RemoteApp, Webclient and HTML5 client all require port 443 (HTTPS), and we also need port 80 open for the regular 3 monthly certificate renewal automatically performed by the win-acme client.
The rule in the Azure firewall for port 3389 to be open should be removed.
App Registration for Email through Office 365 (Microsoft Graph API)
...