We've tried removing their SharePoint license but that didn't seem to remove access to the intranet. Not sure if there's something we were missing. 

 Unfortunately, removing their license will not keep them from accessing SahrePoint online if someone adds them to a site.  it used to work that way, but MS took out the license check about two years ago.  I am not aware of any way to lock users out of SharePoint and still allow them access to other Office 365 features other than finding and removing all permissions in SharePoint that would give them access.

Thanks Paul, that was going to be my next suggestion. A lot depends on how people have been given access to the Intranet. If it's a larger group such as Domain Users, then you could create a new group that doesn't include these users and swing the Intranet permissions over.

Kind of a sledge hammer/nut scenario.

I suppose you could block sign-in on the user, but I think that would stop the office client working.

Unfortunately, removing their SharePoint permissions is the only way to block them without blocking login to ALL Office 365 features.  In an on-premises environment you could create a user Policy setting at the Web App level to deny them access, but that's not an option in a tenated environment like Office 365.

It might be worth taking a look at something like Metalogix ControlPoint to manage the permissions changes instead then. It would be able to scan the tenant and remove permissions for nominated users.

Not a cheap option though.

As has already been mentioned, removing their license will not prevent them from accessing a SharePoint Online site to which they have been given permission.  Office 365 stopped checking licenses when accessing SharePoint sites about two years ago.  The only way to block users is either to Block their login (which will block their access to all Office 365 services) or remove their permissions in SharePoint.  Removing the license will NOT work.

I was hoping that wouldn't be the solution since they've been given permission to a variety of material on the internet, both through the standard sharepoint permission group and individually. What a nightmare.

Jen Andersen 

Create a powershell script to check the permission level from each site collection from SPO and remove the permissions

https://support.microsoft.com/en-us/kb/3026385 it has to work.

I've heard recently that you can open a support call and get Microsoft to re-enable license checking in SharePoint.  If that gets turned back on then you can just remove their SharePoint Online license to block them from access.  But you ahve to specifically request that functionality on your tenant.