background: We are a hybrid Office 365 customer with Azure AD premium. We sync on premise AD to the Azure AD (but no passwords). We use an On Premise IDP for SSO (not ADFS).
challenge: when a user is terminated, we disable the AD account, which syncs to the Azure AD user. because the user is actively signed into Exchange Online with an STS token, thus bypassing SSO authentication with the IDP until it expires. How can we ensure that the user cannot access Office 365 immediately, including killing active sessions. Ideally the solution should be executed via Azure AD power shell, not in the Admin Console. Any examples would be appreciated.