Why is that surprising though?
MFA is meant to keep your account safe from other people who are trying to take it. Any MFA that is implemented by a company, they should 99% of the time hold the keys to the castle for that authentication. In fact, just today I removed MFA auth from about 2 dozen employees who left out company last month. Depending out what kind of tools they use on the backend, it's just a simple matter of clicking and removing MFA. If you were a malicious actor who was trying to get into an account though, you wouldn't be able to do that and would be forced to go through the auth process.
This isn't anything groundbreaking at all. I support them being able to do this, sucks for the person who got locked out of their account though. It is kind of wild that TNT would remove it in a situation like this, but if the person who targeted the account had all the right info, how is TNT to know the difference.