Comment 9 for bug 1791111

Yes, i believe it is forced already. A user that has password expired has only access to the /v3/users/password API. And cannot change anything else.