Hi @Peter Stilgoe ,
I do absolutely not agree with the given answers of IP restrictions or Authentication.
SharePoint Online is sending remote event calls to PHAs, which are anonymous. Same problem with webhook-event calls.
Therefore, recommending authentication is not applicable.
Regarding IP ranges, here is a link to SPO IP ranges, but MS also says, that Office 365 does not provide IP addresses of all required network endpoints.
And on that page, there is also a changelog, so from time to time, the IPs will change. (!) I don't think, it is a good idea to secure a connection based on the IPs then.
A better approach would probably be, to use some kind of service endpoints or a service tag.
Unfortunately, I did not yet find an applicable service tag yet. It would already help a lot, if SharePoint Online would be included in the existing service tag AzureCloud (--> this service tag contains all datacenter public IP addresses). But I downloaded the list of 'All datacenter public IP addresses' and the first of the SPO IPs (13.107.136.x) was not included there. Hm. :(
I would expect, that Microsoft provides also an endpoint for their M365 services or just for SPO, just as they do for e.g. AzureDevOps as service endpoint. This way, it would be possible to nicely harden web applications or azure functions that should only be reachable by SPO.