When the Azure AD driver is running in a hybrid mode and a user’s account permission is revoked using the AD driver, the account is either disabled or deleted in AD and the corresponding association is removed from the Identity Vault. This action also triggers AAD Connect to disable or delete the user from Azure AD. However, this action does not revoke user’s Roles and License assignments in the User Application.
Workaround: Manually remove the Roles and License assignments for the user from the User Application.