Well I am not new to Azure, and I observe that Microsoft cant stop itself from modifying the OS in the VMs in a way that is neither documented well nor static. E.g. above they say "can't download anything..." is very unspecific, however even if I disable the enhanced server IE security it still says that "downloads are not allowed by your organisation" or similar. But two years ago (to be precise MAy 2020) it was allowed.
So where to look at? For sure not in any firewall ports... and the trouble continues. Ok no public IP for RDP without source IP filtering, because this is terribly unsave, understood. But why the public IP wizard configures this as default (no source IP filtering) till today? RDP without Remote desktop role is vulnerable till today by a flaw in the non cred ssp based login procedures.
And why Javascript is disabled in IE11 (and why IE11 is distributed with a VM that is announced as "patched till Jan 2022") and then this --censored by myself--- onedrive setup? Well you can download Onedrive, it somehow bypasses the IE11 download prohibition. But then it can't log in and why? "Java script is disabled in your browser". Well one mess after another. Also the bastion thing. Why it filters the right alt key? Can't type asterisk or backslash with a german keyboard at my end. All of that is somehow incomplete and intransparent...