We are currently investigating how to implement this. The expiration status is not a directory attribute so it is not straight forward how to sync it.
An error occurred while saving the commentchirag commented
Yes, I agree that Aaron's work around is perfect except one thing, though.
In his script at https://blogs.technet.microsoft.com/undocumentedfeatures/2017/09/15/use-aad-connect-to-disable-accounts-with-expired-on-premises-passwords/
What is that "info" attribute that he is using in differentiating the disabled accounts ?
I do not see such "info" attribute in the MS-graph user-schema.