The easiest way to fix this would be to use the following Defender Management Shell commands that are included in the OneIdentity.Defender.AdminTools module.
The command Remove-TokenFromUserBatch would be the most useful in this situation. You would provide it with files that contain a list of users and a list of tokens.
The command does not need an actual list of token serials to use that command, a text file can be provided for the tokens that contains 'all' for each line instead of token serials.
Then to create the list of names for users, one can export a list of all of the users contained within the Disabled folder, by using Powershell or right-clicking the Disabled folder in AD and selecting Export List. Make sure Display Name is added as a displayed column.
Open up the Defender Management Shell and run the command 'get-help remove-tokenfromuserbatch -full' for examples and a full explanation.
One could also use the command 'get-defenderuserslastlogon -UserSearchBase "CN=Disabled,DC=MyDomain,DC=Local"'. That would return Defender users who are within that OU which could then be filtered for only the CommonName column, and then export into a text file. Please see the command 'get-help get-defenderuserslastlogon -full' for more information.