If you have the "Require use of any MFA option" or "Require use of < specific authenticator >" policy (for Teams, the policy is called "Multifactor Authentication") enabled for your users, you can exclude the locked out user temporarily from the policy, then disable Multifactor Authentication for the user so that your user can log in and access their vault. Once confirmed they have logged in, you can re-enable the policy for your user.