Below is my quick reference material used to study for the Office 365 70-347 exam.
I have been administering our company O365 environment for around a year now, and spent about 6 months studying for the 70-346 and 70-347 exams.

The most valuable tool to study for this exam is to setup a free 30day Office 365 E3 trial account, which you can use to play around and break/fix

find the PDF file below:

If you are using SharePoint online in your organization, it is wise to know about the below issue (or feature?).
If you have followed Microsoft best practice and have added your company zone to the trusted zones and also instructed the users to tick the “remember my password” it seems like that the cookie generated during this procedure would be valid even if you disable this user and revoke their login permissions (unless your process is to delete AD/O365 accounts immediately).

Steps you would/can take to decommission a user account
Environment setup: AD password synced
Change the user password
Disable the account
Remove license
Block “sign in” on Office 365 [update: This will stop access after 1 hour]

SharePoint online access will still work even though you do any of the steps above!!

How do I block  access?
You would have to remove access from the SharePoint site level permissions. Depending on if you are using security groups or actual user accounts to grant access, we would have to remove the terminated user from the group and then force a sync to azure AD.

Scenarios not tested: ADFS SSO environment, Deleting the account (this should work as then SharePoint site permissions would be removed too)

Update: I have logged a ticket with Microsoft regarding this issues and will upadate this post when I hear back from them.

Update2: MS came back with the below. So you could use the block sign in option but it will need about an hour to take effect.

Once admin blocked the user in the MSODS (O365 global AD), the msonline-AccountEnabled for that user in MSODS will be updated to false for that user , it need about 1 hour for syncing the msonline-AccountEnabled value to SPODS (SharePoint online AD). It is a  by design behavior according to the feedbacks from back-end team.


Generated cookie details (IECookiesView.exe)

Remove User from the SPOnline Site permissions: access will be denied