How block expired Active Directory user account login using other than username and password methods

[Anabela Mazurek]

Hello,

We have got integrate keycloak with Microsoft Active Directory  as user federation and allow also login using certificate. Problem is if AD account expires username and password login not work but certificate work. Any idea how approach to block any other methods if AD account is in expired state?