If you want the tunnel to open when there's incoming traffic from the Azure side, you'll need to make the access-list in step 1b symmetrical:
access-list azure-vpn-acl extended permit ip object-group onprem-networks object-group azure-networks
access...