Thanks for your reply. I need full host reachability. I'm not sure if I understand you correctly. Can you elaborate on option 1 and 2 a bit?

I've used packet tracker on the Asa to find out what the problem is, and I don't really understand why it drops in step 8 since the Azure local network is defined in the cryptomap on the Asa on Site A.

Site A = 10.1.0.0/24

Site B = 10.2.0.0/24

Site Azure = 10.3.0.0/24

packet-tracer input production tcp 10.1.0.10 2225 10.3.0.4 80 detailed

Phase: 8
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7f6e7de5c440, priority=70, domain=encrypt, deny=false
hits=59, user_data=0x0, cs_id=0x7f6e7de95570, reverse, flags=0x0, protocol=0
src ip/id=10.1.0.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=10.3.0.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=outside

Result:
input-interface: production
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x0000563dadd2f44a flow (need-ike)/snp_sp_action_cb:1575

Hello Richard Burts, thanks for your reply. I have definitely defined remote tunnel networks/subnets as:

Site A: Site B and Site Azure.

Site B: Site A and Site Azure (two different tunnels).

Site Azure: Site A and Site B.

Though the tunnel options on Site B (Meraki MX64 with a webinterface) and Site Azure (Microsoft Azure webinterface) are very, very limited so I can't really define cryptomaps or anything. Could that be a problem?

Thanks for the clarification that siteB and Azure are not Cisco devices and do not use crypto maps. I am sure that in their web interfaces there are similar functions to identify the traffic that is to be encrypted and carried through the vpn. Perhaps you can share some details of the config of siteA, and appropriate parts of the web configuration of siteB and Azure?

I've decided to just make a tunnel on Site A to Site Azure too so traffic destined for Site Azure doesn't need be routed to Site B first.

For clarity and as requested, these are the old, initial config windows on the Meraki and Azure (not much you can config):

SITE B (MERAKI)

SITE AZURE

Thanks anyways.

Thanks for the additional information. I agree that the screen shots do not provide much that is helpful. To be sure that I understand correctly, now you are configuring so that siteA has a vpn to siteB and another vpn to Azure. So your crypto map on the ASA has 2 sections (one for siteB and another for Azure) and 2 access lists used in the crypto map. And you have changed the config for siteB so that it no longer expects to forward traffic from siteA to Azure? And you have changed Azure so that it no longer expects to send traffic for siteA through siteB? Is the new vpn working?

Good questions. The screenshots I posted, in particular the Azure screenshot, show the old situation which I tried first and couldn't get working. I should have been more clear on that. 

Yes it's working now and indeed Site A now has two site to site links (just like Site B) and the crypto map on Site A now has two sections and access lists. Also indeed I have changed the remote local network in the config on Site Azure so that it no longer tries to route traffic for Site A through Site B. Essentially what you would see now is what they call in Azure two Local Network Gateways instead of one. One for Site A and for Site B. In the screenshot you'll see the old situation with only one Local Network Gateway which has both Site A & B defined as remote local networks.

Thank you for letting us know that it is working now. Glad to know that what you implemented is very much like what I suggested.