If the VMware Identity broker is configured using AD/LDAP, in a scheduled sync interval, users and groups are synced from the Active Directory. During this sync, the users that are marked as disabled in the Active Directory are also synced to VMware Identity broker. However, the status of these users do not reflect the status 'Disabled' correctly. 

VCF Operations 9.0

It's a known limitation in VCF Operations 9.0. Although the users are synced, and the status are reflected otherwise, the disabled users will NOT be able to login to VCF. This will be fixed in the upcoming releases.