Is there a way to schedule account expiration or automating disabling that syncs to Azure AD?

Question

I use Powershell to set accounts to expire shortly after a users final shift. The problem is that this attribute is not synced to Azure AD and they are still able to log into teams and O365. Our IT staff is only on-premise during regular working hours, M-F 8-5. It's important that we find a way to prevent a specific users login across the board at a specific time.

Example: Bob's last shift ended Friday at 9PM. Using the typical PowerShell options, we set his account to expire Friday at 9:30PM giving him time to wrap up. Monday morning, we notice that even though he is no longer with our organization, he is still active in teams and trying to carry on direct message conversations with his former colleagues and has forwarded some emails that he received over the weekend. Even though he is no longer able to log directly into a workstation, he can still access Teams and O365. We need to be able to schedule that access to end at the same time that his account expires or shortly after.

Answer 1

Script and use task scheduler:
https://blog.blksthl.com/2021/04/13/expired-accounts-remains-active-in-azure-ad/

Another option:
https://myserverissick.com/2019/01/how-to-make-azure-ad-connect-disable-expired-accounts/

Answer 2

So dumb, just so dumb. Give us a damn checkbox. I don't want to have to create a registered app to connect a friggin script to the friggin cloud directory which ignores the fact an on prem user is disabled.

Get bent MS, for the 897th time today. I'm so bored of how many ways you suck.