IDM has a feature to force a the user to reset their password with the check box (Password Must Change). When an admin changes a user's  password with the password must change checkbox checked, the user is not prompted to change their password at the next login. Instead it allows the user to login.

Identity Manager

This issue is usually due to a mapping problem with the well-known attribute %ENABLED_STATE%.

Verify in the corporate directory.xml that there is an entry for %ENABLED_STATE% and that is is mapped to a physical attribute in your directory. For example,

%ENABLED_STATE% = caidmDIsabled: 

<ImsManagedObjectAttr physicalname="caidmDisabled" objectclass="caidmPerson" description="Disabled State" displayname="Disabled State" valuetype="String" wellknown="%ENABLED_STATE%" maxlength="0" hidden="true"/> 

Based on the above example, when you check 'password must change' in the IDM task, IDM updates 'caidmDisabled.' When the user logs into IDM they should be prompted for changing their password. 

If SiteMinder SSO is integrated and you have a different process and different attribute being used to set the disabled status you need to decide whether IDM or SM is going to hold the authoritative disabled state attribute and map the attributes accordingly.

IDM's Password Must Change functionality can update only the attribute mapped to its well-known %ENABLED_STATE%.

"Why is Disablestate being changed to 16777216 after adding a provisioning role to users?"

https://knowledge.broadcom.com/external/article?articleId=39729