I have an AD FS server in a VM in Azure for test purpose. It is not for production and some downtime does not matter. However it should be available on the Internet for SSO.
Can Azure App Gateway be used for protection of AD FS?
Or is the Web Application Proxy server required?
If I setup a WAP server should it be protected by App Gateway and WAF?
WAP is recommended. No need to deploy WAF or Azure App gateways.
See https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/how-to-connect-fed-azure-adfs for deployment guidance.