You should also update your NAT ACL to exempt all the tunneled traffic, furthermore, you can not add the deny entry after the permit entry as it will have no any effect.
deny all the traffic need to be ipsec tunneled
then permit all the other traffic need to be NAT in ACL 120
access-list 120 deny ip 172.16.5.0 0.0.0.127 172.20.0.0 0.0.0.255
access-list 120 remark CCP_ACL Cateogry=18
access-list 120 permit ip 172.16.5.0 0.0.0.127 any
access-list 120 permit ip 192.168.24.0 0.0.0.63 any
access-list 120 permit ip 172.16.8.128 0.0.0.127 any
access-list 120 permit ip 192.168.24.0 0.0.0.255 any
access-list 120 deny ip 172.16.5.0 0.0.0.127 172.20.2.0 0.0.0.127
access-list 120 remark AZURE
access-list 120 deny ip 172.16.5.0 0.0.0.127 172.20.15.0 0.0.0.255