DM sent with the IP addresses.
Blocking Azure IP address is probably not that productive, it's relatively easy to change public IP addresses on Azure, additionally a legitimate user could end up being allocated an IP that was previously used by someone abusing the fair use policy, especially as you would have the API key of the abusing user.
If you are going to filter via IP, could you not have the firewall redirect blocked requests to a VM serving static pages stating IP has exceeded acceptable use. That would make debugging issues simpler as users would actually have a message back stating what was wrong?
There is also rate limiting options with firewalls to limit number of requests per time period.
If you had an advanced enough firewall you could actually combine the source IP with packet inspection to look for the apikey for a more fine grained filter.