Hi,
There is no default deny policy in every rule collection. The way it works is, if a packet doesn't match ANY rule (regardless of if it is DNAT, Network, Application), then it is Denied by default.
So in your scenario, if an outbound packet doesn't match your 'ALLOW-TO-INTERNET' network rule then Azure Firewall will check if it matches your 'ALLOW-TO-MICROSOFT' application rule and if it doesn't match either one it will be denied.
Configure Azure Firewall rules
https://learn.microsoft.com/en-us/azure/firewall/rule-processing
Key excerpt from above article:
You can configure NAT rules, network rules, and applications rules on Azure Firewall using either classic rules or Firewall Policy. Azure Firewall denies all traffic by default, until rules are manually configured to allow traffic. The rules are terminating, so rule processing stops on a match.
Key excerpt from Outbound connectivity section of above article:
If still no match is found within application rules, then the packet is evaluated against the infrastructure rule collection. If there's still no match, then the packet is denied by default.
Please click Accept Answer and upvote if the above was helpful.
Thanks.
-TP