We have a requirement to immediately disable a user's AD account using Policy when trigger happens.

There are couple attributes which seem like a possible choice to use for example:

Account Options (options)

Suspended (%SUSPENDED_STATE%)

Suspended (suspended)

Which is a correct choice to use with PolicyXpress?

Identity Manager 14.x, 15.x

Suspended (suspended) logical attribute taking in values 0 and 1 (for false and true) is a best choice to use when you want to suspend AD endpoint account (more details here).

Any other attribute used might cause isssues like clearing flag from Account Options on the user account - as described here.