Michael,
I am late on this thread, but I see that it may not have been answered. As stated before, once a user is synchronized in, they cannot be removed. Typically you create cases for investigations, give needed permissions, and then close the case when the investigation / audit is complete. The use name will stay in the master list, but should not be added to any new cases.
For the existing cases, you can remove the check from the role assignment within the case (Case Menu--->Role Assignment)
Once removed, the users cannot access the application.
Logan