When Jenkins is behind an Azure Application gateway it gets the proper header for the remote user passed to it - a complete header example is below:

POST /job/deploy-job/build?delay=0sec HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept: text/javascript, text/html, application/xml, text/xml, /
Accept-Encoding: gzip, deflate, br
Accept-Language: en-CA,en-GB;q=0.9,en-US;q=0.8,en;q=0.7,fr;q=0.6
Host: build.something
Max-Forwards: 10
Referer: https://build.something/job/deploy-job/
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.75 Safari/537.36
Origin: https://build.something
Jenkins-Crumb: 0a6b7215318cfcfea7e8be0bfd7bc1a6
X-Prototype-Version: 1.7
X-Requested-With: XMLHttpRequest
DNT: 1
X-FORWARDED-PROTO: https
X-FORWARDED-PORT: 443
X-ORIGINAL-HOST: build.something
{{SEC-WEBSOCKET-EXTENSIONS: }}
X-Original-URL: /job/deploy-job/build?delay=0sec
X-Forwarded-For: 198.2.2.249:60769
X-ARR-SSL: 2048|256|CN=*.something|CN=*.something
X-ARR-LOG-ID: a5a03579-302d-494a-a2c5-089d51026283
Content-Length: 0

HOWEVER the remote port is also included:

X-Forwarded-For: 198.2.2.249:60769

and since the remote port changes with every request, the crumbs are never seen as valid.

Jenkins should support stripping the port from the remote IP if present.

I don't know what the Azure Application Gateway does for IPv6 since it doesn't support that yet.

Related to (but not the same as) https://issues.jenkins-ci.org/browse/JENKINS-50767 as this is behind an Application Gateway (L7 proxy) rather than a Load Balancer.