You can update the accountEnabled property just fine via the MS Graph and/or the Update-MgUser PowerShell cmdlet. Both delegate and application permissions are supported. Here's an example on how to do it in an application context via the PowerShell module:
Connect-MgGraph -ClientId xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx -CertificateThumbprint "xxxxxxxxxxxxxxxxxxxxxxxx" -TenantId tenant.onmicrosoft.com
Update-MgUser -UserId c410b78d-xxxx-xxxx-xxxx-0615a47b07df -AccountEnabled:$false
The only exception here is updating privileged accounts, for that you need to have the GA or Privileged auth admin role assigned to the service principal. But that's no different from the AAD requirements.