Hi Jan!
afaik Microsoft does not have a web application testing tool.
I work for a company that offers that service, so if there was a Microsoft 'professional' tool we'd probably be using it.
If you google/Bing "web application testing tool free" you'll get plenty of hits.
Microsoft's WAF is based on Mod_Security - it can generate a lot of false positives, and it does have a learning curve if you want to really understand it.
WAF is the way to go if you need surgical blocking at the DOM level.
But don't expect WAF to work well unless you understand exactly what the enabled rules are doing. (respectfully speaking!)