I recently needed to deny the TRACE verb to all incoming requests to IIS on a website running as a classic cloud service in Azure. First I tried following this post and adding the following:

<system.webServer>  
    <validation validateIntegratedModeConfiguration=”false” />
    <modules runAllManagedModulesForAllRequests=”true” />
    <handlers>
        <add name=”DenyOTH” verb=”OPTIONS,TRACE,HEAD” path=”*” 
             type=”System.Web.HttpMethodNotAllowedHandler” />
</handlers>  
</system.webServer>  

without any luck. However, I was able to block the TRACE verb using a different technique, also in system.webServer:

<system.webServer>  
    <security>
      <requestFiltering allowDoubleEscaping="true" >
        <verbs>
          <add verb="TRACE" allowed="false"/>
        </verbs>
      </requestFiltering>
    </security>
</system.webServer>  

That returns a 404 instead of a 405, but it stops the ability for people to issue TRACE requests. To confirm, run cUrl:

 curl -X TRACE https://yourwebsite.com -v