I'm looking to run Veracode's Dynamic Scan, which is a sort of automated pen tester, on an Azure App Service that is hosting our website. There is a clause in the terms https://security-forms.azure.com/penetration-testing/terms that states "Pentest form submission is not necessary when running common off the shelf vulnerability scanners. Those do not require pre-acknowledgement.".
Does Veracode's Dynamic Scan count as an "off the shelf vulnerability scanner"?
You Do Not need permission to run penetration tests on your Azure resources, but Microsoft does have issues with DDOS attacks that could be intended to be a part of a Pen Test. As of June 15, 2017, Microsoft no longer requires pre-approval to conduct a penetration test against Azure resources.
You can read more here Microsoft Pen Testing.
Microsoft also runs its own Red Team Penetration tests on its own architecture and you can search for the latest white papers for these tests that are being done.
Pen tests can have legal consequences, so you need to point this question to the MS Azure Support and Veracode, and not relay on the "common sense" answers.
Even if someone had experience with this in the past, conditions/ requirements can be changed.
Asking MS permit will make it much safer for you and your site.
You should check this page: Azure Penetration Security Forms.
In summary, you should read the terms and conditions and see what you can do. And first and foremost you must inform Microsoft in advance, since otherwise they would consider you an attacker.
