Looking specifically at the now working users, the user's tokens were PENDING. A few days later they reported that all the PENDING activations were expired, and the users got disabled again.

The error log can be seen below in the access log.

date=2024-01-22 time=22:14:15+0000 oid=3318835 logid=30909 cat="Event" subcat="System" level="error" nas="" action="" status="" msg="FTM polling error: unable to connect to server: failed to connect fortitokenmobile.fortinet.com:443" user="admin"

date=2024-01-23 time=01:19:55+0000 oid=3318980 logid=30909 cat="Event" subcat="System" level="information" nas="" action="" status="" msg="FTM polling: try to deprovision expired pending token: FTKMOB0XXXXXXXX" user="admin"

date=2024-01-23 time=01:19:56+0000 oid=3318981 logid=30909 cat="Event" subcat="System" level="warning" nas="" action="" status="" msg="FTM deprovision: disabled remote LDAP user 'josararai' because FTM activation has expired. Admin must be cautious to re-enable this user because it will be allowed access without token." user="admin"

The issue matches a known issue 988000 reported due to bulk de-provisioning of FortiToken Mobiles once FortiToken Mobile servers become reachable if they were provisioned when FortiToken Mobile servers were unreachable.

FortiAuthenticator 6.6.1 resolved-issues 

Solution: Upgrade the firmware and the issue will be solved for version 6.6.1.

The workaround is the FortiAuthenticator reboot in the current version. After reboot, all users with FortiToken mobile in pending status will be disabled, and tokens will be moved to the available poll.

Manually to enable users and assign them new tokens. When users activate tokens, the status of tokens will be renewed on FortiAuthenticator.