Hi Christopher,
This is a bit of challenge, since you are asking to design your cloud transformation in a forum response :-) I can give you some pointers, like https://video2.skills-academy.com/en-us/azure/architecture/guide/security/security-start-here This could also be a good time to hire experienced Azure architects who know about Azure landing zones https://video2.skills-academy.com/en-us/azure/cloud-adoption-framework/ready/landing-zone/
To start, you should investigate Entra, previously Azure Active Directory, for identity and access management. Entra ID Protection can report on a number of risks that you mentioned, even before accessing Azure services https://video2.skills-academy.com/en-us/entra/id-protection/concept-identity-protection-risks
Next, you should investigate monitoring services like Azure Monitor, and Sentinel.
And then, when you start to deploy Azure services like app services, sql databases, and virtual machines, you should leverage their respective security features including identity and networking.
Hope that helps,
Pieter