Yes, i believe it is forced already. A user that has password expired has only access to the /v3/users/password API. And cannot change anything else.
Yes, i believe it is forced already. A user that has password expired has only access to the /v3/users/password API. And cannot change anything else.