I recently needed to deny the TRACE verb to all incoming requests to IIS on a website running as a classic cloud service in Azure. First I tried following this post and adding the following:

    <validation validateIntegratedModeConfiguration=”false” />
    <modules runAllManagedModulesForAllRequests=”true” />
        <add name=”DenyOTH” verb=”OPTIONS,TRACE,HEAD” path=”*” 
             type=”System.Web.HttpMethodNotAllowedHandler” />

without any luck. However, I was able to block the TRACE verb using a different technique, also in system.webServer:

      <requestFiltering allowDoubleEscaping="true" >
          <add verb="TRACE" allowed="false"/>

That returns a 404 instead of a 405, but it stops the ability for people to issue TRACE requests. To confirm, run cUrl:

 curl -X TRACE https://yourwebsite.com -v