What are the best recommendations for preventing my users from sending Office 365 documents outside my network, via any third party methods (i.e. Gmail, etc,.)?
My users are using Office 365 Business Premium, with Office Professional Plus 2019 as their desktop productivity suite.
I'd also like to be able to lock down their mobile devices (iPhones and Android) to either prevent or at least be able to monitor if they are forwarding Office 365 data off-network using non-Office 365 apps.
There's no full solution to this, sure you can add some restrictions like the ones available in MCAS, but people can still find ways around it. If your documents are that sensitive, consider encrypting them via RMS/AIP so that they can only be opened by designated recipients, even if shared externally.
There are a lot of ways to prevent / restrict document and data sharing from the Office365 Workloads.
Depending on what licenses you have then you might have access to different tools.
Some Tools that I always recommend to use are
DLP ( Data Loss Prevention ) - This can prevent users from sharing PIP/GDPR related data
Labels/Tags - Labels together with a label policy can automatically or manually add labels to documents, emails and other data. These Labels have different levels of sensitivity ( Public, Confidential, Very Condidential ) These labels prevent users from for exampel forwarding, printing or copy&Paste data from emails that have the label/tag applied to it
Sharing Policy in OneDrive and SharePoint - Restricting your users to only share data from OneDrive and SharePoint with external users is also a good thing to do. You can allow users to only share documents with external users that are already in your Azure AD ( AKA , Guest users in your Azure AD )
MDM ( Intune ) - Set up security and compliance policies in Intune to lock down how your mobile devices are accessing company data etc.
Conditinal Access Policy - This is a very great tool in Azure AD, Conditional Access is policies that you set up to control what and who can access information and data in Office365 and Azure. You can for example set up a policy that says "only allow access to a certain SharePoint site if your're on the internal network or on a Azure AD joined device"
Above I've just given you a quick overlook on what posibilities you have and what tools I suggest.
Read up on them, mostly DLP , MDM/Intune and Conditional Access in your scenario.
Let me know if you want some clarification in any of the mentioned tools :)
If you are satisfied, please feel free to mark my reply as " Best solution"