I think a mechanism to prevent people from leaving the organization would be easier to swallow if an organization has verified their domain.
So, if Contoso.com verifies ownership of their domain, it could prevent anyone with an @Contoso.com email from leaving the organization.
Should I create a separate feature request for this?