You can attach hardware tokens to multiple users (at least with yubikeys), but I believe best practice is to have everyone log in using their own account with their own personal 2FA device. Sharing a domain admin login is usually frowned upon (which ...