As an FYI, I have a few clients with Cisco ISR 881's. We've always used static VPNs to Azure, but now that you can have multiple site to site VPNs per virtual network, we've been (trying) to switch people over to Dynamic. The script that automatically generates from the portal is perfect in that you only have to enter in the name of your outside interface... BUT there's a flaw: (below is taken fromMicrosoft's Cisco ISR templates)
"crypto ikev2 profile <RP_IkeProfile>
match address local interface <NameOfYourOutsideInterface>
match identity remote address <SP_AzureGatewayIpAddress> 255.255.255.255
authentication remote pre-share
authentication local pre-share
keyring local <RP_IkeKeyring>
exit"
This is of course just one small part of the config script, except the LOCAL that I have bolded/underlined. That's not in the script that is downloaded from the Azure portal. Everything else is identical. Of course the ISRs we were using would not connect up until we added 'local' to that line...
This was just as an FYI so hopefully MS can correct this very simply.