To change identity providers in Jamf Pro without causing user lockouts, you must temporarily disable the login window before proceeding.
Using your MDM solution, delete all .mobileconfig files for Jamf Connect from your organization's devices. If you are using Jamf Pro, these can be deleted by removing the devices from the Scope of your configuration profile. See Computer Configuration Profiles in the Jamf Pro Documentation.
Use a Jamf Pro policy or Terminal locally to execute the command sudo /usr/local/bin/authchanger -reset. The command can be added to a Jamf Pro policy by navigating to Files and Processes under Options in the New Policy window.
For instructions, see Policy Management in the Jamf Pro Documentation.
This command temporarily disables the Jamf Connect login window for the user account the command was run on, preventing the user from potentially being locked out of their account during this process. Additionally, the creation of new accounts through Jamf Connect is temporarily disabled.