Deactivated Zoho One account can sign in

Deactivated Zoho One account can sign in

I am concerned by the fact that deactivated users in Zoho One have the ability to sign in even after their account has been deactivated (not deleted).

these inactive identities have no access to individual Zoho apps or data. based on my experience they can still access accounts.zoho.com though. this is not desired as it means they can still access some basic org data such as SAML metadata, verified domains (read access) or even create a new group (write access). basically almost anything within accounts.zoho.com. 

while probably not dangerous directly, I am uncomfortable with such 'feature' as it could be misused in some creative ways including an attack involving social engineering for example. I also wonder if this behaviour of deactivated accounts meets compliance such as SOC 2 stated on the homepage https://www.zoho.com/compliance.html.

based on my conversation with Zoho support this 'feature' seems to be by design. what's the reason?

should I delete inactive accounts? but then I do not want to lose historical data. or is there another way / layer of user deactivation that I am not aware of?

I understand there might be use cases where one Zoho account could be linked with to different orgs. perhaps this open behaviour for accounts.zoho.com was designed for that. for us this is unexpected behaviour at least, against basic security expectations and even more controversial in an enterprise setting.

expected behaviour: a deactivated account should not be able to sign in.

here is a screenshot where I logged in as inactive user (with their old password / MFA) and created a group Foo.