Guess only: Active is probably what counts, otherwise you'd always ultimately run out of seats. (It might take a while, but seeing as you can't delete users who have a relationship to content, but you can add them, seat exhaustion seems inevitable to me.) Do you have access to the licence agreement? Maybe it says something like "xx active users"?

Thanks, yes this is helpful. In particular, I wonder if deactivating opens up a spot for new users to be added, if/when we have added the maximum number of users, according to the license agreement. That is really the original motivation behind this...

Not exactly what you asked for, but it might help. Here's an untested PowerShell script I got from one of the friendly Professional Services folks to create explicitly-named users that you could perhaps investigate and modify to read in a CSV and bulk disable users. No warranty, no support from my end. Your mileage may vary. Look both ways before crossing the street. You run it, you own it. (Especially on prod. )
-------------

Write-Host "`r`nImport-Module ISHRemote..."
Import-Module ISHRemote -DisableNameChecking

Write-Host "`r`nInitializing..."
$ishSession = ''

# Set runtime preferences
$DebugPreference = "SilentlyContinue" # Continue or SilentlyContinue
$VerbosePreference = "SilentlyContinue" # Continue or SilentlyContinue
$WarningPreference = "Continue" # Continue or SilentlyContinue or Stop
$ProgressPreference= "Continue" # Continue or SilentlyContinue

# Specify Docs web service URL
$webServicesBaseUrl = 'server.domain.com/.../'

# Available user roles:
# VUSERROLEADMINISTRATOR, VUSERROLEAUTHOR

# Available user groups:
# VUSERGROUPDEFAULTDEPARTMENT, VUSERGROUPSYSTEMMANAGEMENT

# Define Author
$authorUserRoles = "VUSERROLEAUTHOR"
$authorUserGroups = "VUSERGROUPDEFAULTDEPARTMENT"

# Define Administrator users
$adminUserRoles = "VUSERROLEAUTHOR, VUSERROLEADMINISTRATOR"
$adminUserGroups = "VUSERGROUPDEFAULTDEPARTMENT, VUSERGROUPSYSTEMMANAGEMENT"

# Specify common user information. Options for usertype are "Internal" for Docs STS auth or "External" for SSO/ADFS
$userType = "Internal"
$activeDirectoryDomain = "DOMAINNAME"
$emailDomain = "@email.com"
$userLanguage = "en"
$userPassword = "changeMe1"

# Specify which users to create.
$authorUsersToCreate = @("Author1", "Author2")
$adminUsersToCreate = @("Admin1", "Admin2")

try
{
Write-Host "`r`nConnecting to" $webServicesBaseUrl"..."

# Create instance and prompt for credentials
if ($mycreds -eq $Null)
{
$mycreds = Get-Credential -Message "Enter credentials for a Tridion Docs administrator."
}

# Initializing new IshSession

$ishSession = New-IshSession -WsBaseUrl $webServicesBaseUrl -psCred $mycreds
Write-Host "`r`nSuccessfully connected to" $webServicesBaseUrl"."

Write-Host "`r`nCreating Author user accounts..."
If ($authorUsersToCreate.count -gt 0 )
{
foreach ($user in $authorUsersToCreate)
{
$userIshMetadataFilterFields = Set-IshMetadataFilterField -IshSession $ishSession -Name "NAME" -Level "None" -FilterOperator "like" -Value "$user"
$userIshObjects = Find-IshUser -IshSession $ishSession -ActivityFilter "None" -MetadataFilter $userIshMetadataFilterFields

if($userIshObjects.Length -eq 0)
{
$ishMetadataFieldsAdd = Set-IshMetadataField -IshSession $ishSession -Name "FISHEMAIL" -Level "none" -Value "$user$emailDomain" `
| Set-IshMetadataField -IshSession $ishSession -Name "FISHUSERTYPE" -Level "none" -Value "$userType" `
| Set-IshMetadataField -IshSession $ishSession -Name "PASSWORD" -Level "none" -Value "$userPassword" `
| Set-IshMetadataField -IshSession $ishSession -Name "FISHEXTERNALID" -Level "none" -Value "$activeDirectoryDomain\$user" `
| Set-IshMetadataField -IshSession $ishSession -Name "FISHUSERLANGUAGE" -Level "none" -Value "$userLanguage" `
| Set-IshMetadataField -IshSession $ishSession -Name "FUSERGROUP" -Level "none" -Value "$authorUserGroups" -ValueType "Element" `
| Set-IshMetadataField -IshSession $ishSession -Name "FISHUSERROLES" -Level "none" -Value "$authorUserRoles" -ValueType "Element"
$ishobjectsAdd = Add-IshUser -IshSession $ishSession -Name "$user" -Metadata $ishMetadataFieldsAdd
Write-Host "Created Author account for '$user'."
}
else
{
Write-Host "'$user' already has an account."
}
}
}
else
{
Write-Host "No Author accounts were created."
}

Write-Host "`r`nCreating Administrator user accounts..."
If ($adminUsersToCreate.count -gt 0 )
{
foreach ($user in $adminUsersToCreate)
{
$userIshMetadataFilterFields = Set-IshMetadataFilterField -IshSession $ishSession -Name "NAME" -Level "None" -FilterOperator "like" -Value "$user"
$userIshObjects = Find-IshUser -IshSession $ishSession -ActivityFilter "None" -MetadataFilter $userIshMetadataFilterFields

if($userIshObjects.Length -eq 0)
{
$ishMetadataFieldsAdd = Set-IshMetadataField -IshSession $ishSession -Name "FISHEMAIL" -Level "none" -Value "$user$emailDomain" `
| Set-IshMetadataField -IshSession $ishSession -Name "FISHUSERTYPE" -Level "none" -Value "$userType" `
| Set-IshMetadataField -IshSession $ishSession -Name "PASSWORD" -Level "none" -Value "$userPassword" `
| Set-IshMetadataField -IshSession $ishSession -Name "FISHEXTERNALID" -Level "none" -Value "$activeDirectoryDomain\$user" `
| Set-IshMetadataField -IshSession $ishSession -Name "FISHUSERLANGUAGE" -Level "none" -Value "$userLanguage" `
| Set-IshMetadataField -IshSession $ishSession -Name "FUSERGROUP" -Level "none" -Value "$adminUserGroups" -ValueType "Element" `
| Set-IshMetadataField -IshSession $ishSession -Name "FISHUSERROLES" -Level "none" -Value "$adminUserRoles" -ValueType "Element"
$ishobjectsAdd = Add-IshUser -IshSession $ishSession -Name "$user" -Metadata $ishMetadataFieldsAdd
Write-Host "Created Administrator account for '$user'."
}
else
{
Write-Host "'$user' already has an account."
}
}
}
else
{
Write-Host "No Administrator accounts were created."
}

}
catch
{
Write-Host "`r`nException"
Write-Host "========="
$Error[0].Exception.Message # $_.Message;
Write-Host "========="
}
finally
{
Write-Host "`r`nRemove-Module ISHRemote..."
Remove-Module ISHRemote
}

For what it's worth... we do not use SSO, so the approach I'm taking is 

Content Manager > Settings > Users > select user > Properties > set user's Active flag to false and Disabled flag to true. (Sorry I couldn't figure out how to upload a picture.)

This retains the user in all lists and doesn't affect the data integrity.

Locked = true typically represents too many failed login attempts.

Source: SDL Tridion Docs 14 SP1 > Using SDL Tridion Docs > Using Content Manager > Concepts > Users and groups > Users > Administering users > Changing user properties

• To deactivate a user, uncheck the Active box. This allows the user value to be maintained in the repository but eliminates the name from user lists. For instance, when a user leaves the company but is associated with metadata for an object, such as Last modified by, the username (data) in the field is maintained and valid however, the user no longer appears in any lists.
• Check the Disabled box to prevent the user from logging into Content Manager. For instance, if the user leaves the company.

HTH!

Another issue related to this - if a user leaves the company, they often cannot be removed from the system because they have content attached to their name.

Also SSO - I'm sure this was already suggested.