When the administrator deletes or disables a DeviceID token using the Admin Console, email access from the device will not be blocked immediately as the Exchange server keeps a session for the device. There are 2 ways to block a device immediately as soon as its DeviceID token is deleted or disabled in the MFA server.
1) Manually remove the device's session from the Exchange servers
2)
This is a special alert only used in DeviceID authentication in Exchange ActiveSync. The alert is used by the DualShield server to inform the DualShield IIS Agent of the deletion of a DeviceID token.
...