Public IP addresses allow Internet resources to communicate inbound to Azure resources.
Security posture Management can help with custom rules to ensure that specifically tagged VM instances donot have a Network Interface with public IPs assigned. The custom rule would look like following:
VirtualMachine where Tags with [ Name eq "confidential" ] should not have NetworkInterfaces with [ IPConfigurations with [ PublicIP len () gt 0 ] ]