No it’s not possible to update user permissions from the SSO provider (e.g. Active Directory (AD)). User accounts have to be updated via the Algolia dashboard and granted permissions inside Algolia.
Once the account is locked to SSO, users will only be able to connect the Dashboard If they have permissions in their SSO provider.
From the dashboard-side, a user is active until removed, even if they can't access the dashboard. This means they will continue to receive email alerts and any personal API keys will still be valid. You will need to update their account in Algolia manually to prevent this.