If two-factor authentication is enabled, and an AD user gets locked out of their account or needs to enable a new device, an admin can reset their two-factor authentication. Once two-factor authentication is enabled for your AD user, you can disable or reset it at any time by following the steps below.
1. Navigate to the AD Users Page, from there you will see "User Custom Settings" (Version 10 or below: You will need to log into Web Administration in order to do this.)
2. Select the user from the drop-down menu and press "Disable 2FA"
Two-factor authentication will now be disabled for the user.
If 2FA is required for this user ongoing, the user will need to set up two-factor authentication again for their account the next time they log in.