There are several reasons. First of all, every digital environment must be tested to ensure full protection. DDoS protection without DDoS testing is like software without QA. Furthermore, while Azure assumes responsibility regarding network or infrastructure attacks, application attacks largely remain your responsibility. There are configurations and actions only you can perform, such as setting rate limits, scanner and probe protection, auto-scaling, and more. And all these application-level measures must, of course, be tested.