When you disable the Microsoft Endpoint Manager integration in Jamf Pro, there is a short window of time where devices can still access company resources.

You can prevent devices from accessing company resources during this time by creating an empty smart group used to calculate device compliance. To ensure a smart device group's membership remains empty, add a criteria that no device in your environment will meet. For example "iOS version is 1000". For information on creating smart device groups, see Smart Groups in the Jamf Pro Administrator's Guide.

After creating the empty smart device group, navigate Settings > Global Management > Device Compliance and select the group from the Compliance Group pop-up menu. Devices cannot access company resources after they are no longer marked as "Compliant" in Azure AD. In large environments, this process may take a while.

You can also block devices from accessing company resources using a Conditional Access policy For information, see the following webpage from Microsoft:
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-grant#block-access