Force the user to do full authentication following selective wipe
When you issue a selective wipe you should also clear all MFA tokens and cookies and authenticaton cache so the user has to complete a full re-authentication after adding their account back. Right now outlook doesn't ask for the user to reauthenticate following the selective wipe and if you put their email address it will give them access again.
Or following wipe automatically disable their account. This way they can't get back into the device or are forced to change their password.