Checking up the list of Users in Dynamics 365 Customer Engagement environment (Settings>Security>Users) under 'Users with no assigned security roles' view, possibly we can find enabled users that are unknow as licensed for Dynamics 365.
Note: the only way to create users accounts is through Microsoft 365 admin center. According to Microsoft (https://docs.microsoft.com/en-us/power-platform/admin/create-users-assign-online-security-roles);
"To add new users or assign licenses to users for Microsoft Dynamics 354, go to the Microsoft Office 365 Admin Portal. To do this, click Add and License Users. You must be a member of the "User management administrator" or "Global administrator" role."
The reason for that is because there are other licenses from admin center that is pulling the users into CRM. For example, Microsoft Flow Free and Microsoft PowerApps Trial licenses.
Note: Even though some unknown users are showing in CRM, they will not have access to the CRM until at least one security role is assigned to this user.
If you really want to exclude these users from CRM, you could use a Azure AD security group to secure the access to the instance and make sure those users are not a member of that group: https://docs.microsoft.com/en-us/dynamics365/admin/add-instance-subscription#BKMK_man_sec_group