I think I answered my own question.
MAR (Machine Access Restriction) should achieve this.
In your Active Directory Identity Source under Advanced the "Enable Machine Access Restriction" must be checked and an aging timer should be set (12h set for test purposes).
If you have multiple ISE Nodes they should be in a Node group and the option MAR Cache Distribution has to be enabled.
Now you can create a rule like this. (rule in monitor for test purpose)