In situations where an Active Directory (AD) user is locked out of their account or needs to enable a new device, administrators can reset their two-factor authentication. Here's how you can disable or reset two-factor authentication for an AD user:
1. Go to the AD Users Page and locate "User MFA Settings."
2. Choose the specific user from the drop-down menu and click on "Disable 2FA."
Two-factor authentication will now be disabled for the user.
Upon performing these steps, two-factor authentication will be disabled for the user. If ongoing 2FA is required for this user, they will need to set up two-factor authentication again the next time they log in.