Randomly, after removing the external collaborators access for exposed OneDrive documents the document may still shows as exposed in CloudSOC.
The exposed content tab in the securlet tracks the exposed documents. When you change or remove the exposure, CloudSOC should reflect the change when the change is completed.
Broadcom is aware of this potential issue and is planning an API change that will fix the potential notification problem. The ETA has not been announced as the api is implemented.
When CloudSOC issues the API call for o365 to change the collaborators access a notification response is sent back to CloudSOC which is when CloudSOC would reflect the change. If the notification is not received by CloudSOC for any reason the remove option revert back and become available again.
Typically customers that have reported this have followed up that the exposure was removed in o365 and CloudSOC eventually was updated. However, there is no way for the CASB administrator to verify if the exposure was removed without checking in o365. Throttling in o365 can also delay the changes. There is no way to verify the delay vs the lack of notification from CASB's perspective.
The next time the file is touched in o365 the exposure is rechecked and CloudSOC will get the new metadata including the state of external collaborators. A rescan of the file will NOT recheck for exposure.
A public exposure works differently. CloudSOC can test the public link and verify it is removed, however an external exposure does not have this capability.
It is recommended to retry if possible and then check with the Microsoft administrator to verify the file access was changed.