To achieve your scenario, try setting an explicit "deny assignment" targeting the resource or set of resources (scope) you would like to deny user A.
It's worth noting that since user A is already OWNER with Administrator-level permission on the management group, there's nothing stopping user A from reversing/removing the deny assignment and gaining access to the previously denied resource.
For more information, check out the content: Understanding Azure deny Assignments