Adding Provisioning Role to existing IM User changes the value of the IM User's %ENABLED_STATE% and set the user to require a password change on next login.

Release:
Component: IDMGR

The reason for this is because the Provisioning User will be created on the first provisioning role assignment but if this is done via the Modify User task after the IM User was already created the system cannot retrieve the password for the IM User and so we cannot set the proper password on the Provisioning User. By forcing the IM User to reset their password it is a way to get the IM User and Provisioning User passwords updated to be the same on that password change. Again this is important because any accounts that we try to create via Provisioning Roles and Account Templates would not have the expected password set on them until the password on the Provisioning User was to be set.

What I would suggest is that you create a Provisioning Role with no Account Templates and that you use a PX Policy to assign this base Provisioning Role during the Create User task so that the Provisioning User gets created at the same time as the IM User and with the same password and this will avoid the problem.