TOTP works based on shared secrets, so unless you have these shared secrets, you will not be able to validate the user at all. They cannot be programmatically retrieved either.
If there is no other way to "authenticate" a user based on personal or company information, you might consider setting up a system where the user selects a short "code word or phrase" which is stored securely. Only if the user can provide this specific code word or phrase, you will be able to determine if the user is who the user claims to be. As a 2nd option, perhaps this can be completed based on a second MFA code using SMS and a registered phonenumber.
These are our AAD users so we do know them I am trying to stay away from Knowledge based verification and use the security code displayed on Authenticator app as the additional factor before we can reset user password.
@JamesRV Did you find an answer to your request yet? I'm facing exactly the same demand at the moment and am looking for a way how to deal with an authentication method for our users agains the helpdesk.