@Phil M, Thanks for posting in Q&A. Based as I know, the services you mentioned (Azure, Microsoft 365, Intune, Defender, etc.) will have their own required endpoints that need to be accessible for proper functioning, as specified by Microsoft. Therefore, you will need to review each service's documentation to determine the required endpoints to add to your Azure Firewall ruleset. In a deny-by-default setup, it is critical to follow these articles to make sure necessary traffic is not being blocked.
For Intune, the following article lists IP addresses and port settings needed for proxy settings in your Microsoft Intune deployments. Please ensure they will not be blocked by your firewall rule:
https://learn.microsoft.com/en-us/mem/intune/fundamentals/intune-endpoints
Hope the above information can help.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.