This should be achievable with lifecycle states. In the identity profile for active directory, configure your existing “Inactive” lifecycle state to disable accounts in AD. Or, create a new lifecycle state if you are already using “Inactive” for other purposes.
Then, apply a custom transform on the Lifecycle State attribute in your identity profile mappings to calculate the correct lifecycle based on the attribute conditions you listed above. There are a number of transform operations to help you accomplish this logic.
