I confirm the method described in my question.

Just by deleting users from a Cognito group, which is autogenerated from a corresponding AD group (app), members which are still granted access in AD will get re-created in Cognito as soon as they log in again.