The way I recommend when a partner needs to access a resource within their environment is to use the Azure VPN Gateway. In Azure VPN Gateway, you can use site-to-site and point-to-site and limit resource access by allowing only the addresses of resources they need to access.
At least external access is encrypted.
Another way is to use the Azure firewall or an NVA to control traffic through a single point.
If you don't have the financial resources and can't spend, the way will be to use the NSG and allow and limit access by the source public IP, and you can better organize access using an ASG (Without cost).
Reference: https://video2.skills-academy.com/en-us/azure/virtual-network/application-security-groups
Get in touch if you need more help with this issue.
--please don't forget to "[Accept the answer]" if the reply is helpful