When a user is removed from an enterprise app in Apple Internet Accounts, it only revokes the user's access to sign in again to that app. It does not immediately revoke any existing tokens that the user may have obtained. These tokens can still be used until they expire or are revoked by the service. To forcefully expire the token for a user, you can use the Apple Business Manager (ABM) or Apple School Manager (ASM) to revoke the user's token. Here are the steps to revoke the token for a user:
- Sign in to your ABM or ASM account.
- Go to the "Accounts" section and find the user you want to revoke the token for.
- Click on the user's name to go to the user's details page.
- Click on the "Devices and Content" tab.
- Scroll down to the "Apps and Books" section and find the app that the user has access to.
- Click on the "More" button (three dots) next to the app and select "Revoke Access".
- Confirm the action by clicking "Revoke".
This will revoke the user's access to the app and revoke any existing tokens that the user may have obtained. As for using Conditional Access sign-in frequency to solve this issue, it may not be the best solution as it only limits the number of times a user can sign in to a service within a certain time period. It does not revoke existing tokens and may not be effective in immediately revoking a user's access to an app. It's best to use the above method to forcefully revoke a user's access to an app.