Well, you really shouldnt be using an active account for this. Convert it to a shared mailbox , disable the account and simply simply send the customer notifications as that mailbox, no need to really authenticate to it
If that is not possible, then you can create a conditional access policy to block access to 365 workloads:
or use a conditional access policy to block logon access to all apps or from only trusted IPs etc...