avoid su to other domain user sssd

Hi,
i was able to configure sssd for rhel 8 to login to our MS AD. Also able to add ssh_keys and login. My problem is, sudoers user are able to switch user to any other Users in the domain. Is it possible to deny a switch user only to sssd users?

Here is my config:

[domain/xxx]
id_provider = ldap
auth_provider = ldap
ldap_schema = ad
ldap_uri = ldaps://xxxx,ldaps://xxxx
ldap_user_search_base = OU=Benutzer,DC=xxx
ldap_group_search_base = OU=Gruppen,DC=xxx
cache_credentials = True
ldap_tls_reqcert = hard
ldap_user_ssh_public_key = gecos
ldap_tls_cacert = /etc/openldap/certs/active_directory.ca.pem
ldap_default_authtok_type = obfuscated_password
ldap_default_authtok = xxxxxxxxxxxxxxxxxxxxxxxxxx
ldap_default_bind_dn = CN=sssd Service Nutzer,OU=Sondernutzer,OU=xxxx,OU=Benutzer,DC=xxxx
case_sensitive = False

[sssd]
services = nss, pam, ssh
domains = xxx

kind regards
Ben