Public IP addresses allow Internet resources to communicate inbound to Azure resources.

Security posture Management can help with custom rules to ensure that specifically tagged VM instances  donot have a Network Interface with public IPs assigned. The custom rule would look like following:

VirtualMachine where Tags with [ Name eq "confidential" ] should not have NetworkInterfaces with [ IPConfigurations with [ PublicIP len () gt 0 ] ]