I am running into an issue where users on kiosk devices are connecting their work/school accounts under emails and accounts. We have a GPO set to block the accounts and that works when they try to login under "Access work or school" but if they go to "Email & Accounts" and select "Add a work or school account" it allows them to connect it. We have a SSO badge tap software that I am using to invoke a script on badge out. I found that clearing all files and sub-folders from c:\Users\%USERNAME%\AppData\Local\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy and then rebooting clears and disconnects the account at the next time the device auto-logs in.
However, I am looking for a way to disconnect the accounts in the moments via script whether it be registry changes or other directories I am missing.