When the user is disabled in IM but enabled in active directory, and you know the password
When you login with the disabled userID and known password the user is auto-enabled in IM.
Release : 14.4
If the user is enabled in AD then the IDM user should be enabled during authentication as IDM authentication is dependent on AD where the user is enabled.
Why would we not honor the disabled state, but honor a password expiration from the password policy?
Authentication and Password Policy is two different entities. A password expiration from the password policy is honored after the user gets authenticated, during authorization.