Hello @bill chadwick Thanks for posting this great question!
There is no way to revoke a device, as a device is associated with a tenant on a permanent basis. The built-in security of Azure Sphere protects the devices from theft or other online attack vectors as described in the 7 properties of highly secured devices (see below)
Azure Sphere and the seven properties of highly secured devices
Updated: 12/03/2020 PDT. Reason: Correction of previous incorrect verbiage.
In my previous response, I may have inadvertently implied that disabling a device is possible by moving it to a device group and disabling updates. What I meant was that you can isolate a device from receiving updates but it will continue to authenticate and send data. My sincere apologies for any confusion this may have caused.
I have created a uservoice request on your behalf to track the disabling of the device as a feature request. Please let me know if you have further questions and I am happy to assist you. Thank you!
You might have already watched this video which gives info about Azure Sphere: Defense in depth for IoT devices, the particular timestamp discuss that the azure sphere checks not only OS-level security but also the application/developer side code if it meets the basic guidelines to make it all round secured.
I also suggest commenting on your scenario on this similar product user-voice/feedback page link.
Please comment below on how can we further help you in this matter or please share your thoughts on this matter.