Hi Rahul,
After working with our Security team, we decided to handle these issues not with specific exclusions, but by creating a custom rule based on various request characteristics. For example, most of our agents are internal rather than Microsoft hosted agents, so we had a general rule on the WAF that just allowed known IP addresses from our internal agents through and did not execute all the detailed request inspections. My team did not have permission to modify WAF rules, and the team that did have permission to modify the rules did not want to get into detailed tuning of every 3rd party application it supported, so this is the approach we took.
There are some tradeoffs to this approach (our developers have to be on VPN to access the portal for example) - so it may not be solution for all teams.
Tim