What is considered best practice for disabling / deactivating users?

[egmfrs]

I would define disabling / deactivating a user as having a property held against that user which prevented them from being able to log into the application when the property had been set to a certain value.

We are building an admin section where admin members can disable / re-enable users as required.

The options I have identified:

1. Set email confirmed to false. To re-activate a user, regenerate an email confirmation link for them.
   Or
2. Set Lockout Enabled to True and Lockout End to DateTime.Max
   Or
3. Add IsEnabled field to AspNetUsers (default to True) and override SignInManager to check value is True before returning a Success result.

Are there any other options / which is the most recommended?

[HaoK]

All of these should work, there was some effort around making it easy to do via SignInManager's CanSignIn method, so 3 is probably closest to how we envisioned something like this working, but the other two options seem reasonable as well.