Document enforce password change on next login

source/adminguide/accounts.rst

@@ -901,6 +901,116 @@ password for a user:
    .. figure:: /_static/images/reset-password.png
       :align:   center
 
+Enforce Password Change for Users
+---------------------------------
+
+Since version 4.23.0, CloudStack provides a security feature that allows administrators to
+**enforce a password change on the next login** for a User. This feature
+helps administrators comply with security policies such as periodic
+password rotation, compromised credential recovery, or administrative
+enforcement after manual password updates.
+
+The enforcement can be applied by **Root Administrators** and
+**Domain Administrators** for Users within their scope.
+
+When password change enforcement is enabled for a User:
+
+- The User can successfully authenticate with their existing or temporary credentials.
+- Immediately after login, the User is redirected to a **Change Password** screen.
+- The User must set a new password before accessing any CloudStack resources.
+- Until the password is changed, no other UI actions or API operations are permitted.
+
+Ways to Enforce Password Change
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Password change enforcement can be applied in the following ways.
+
+1. Enforce Password Change During User Creation
+"""""""""""""""""""""""""""""""""""""""""""""""
+
+When creating a new User, administrators can choose to **enforce a
+password change on the User’s first login**.
+
+**UI Flow:**
+
+#. Navigate to **Accounts → Users**.
+#. Click **Add User**.
+#. Fill in the User details, including the initial password.
+#. Enable **User must change password at next login**.
+#. Add the User.
+
+.. figure:: /_static/images/enforce-password-change-on-create.png
+   :align: center
+   :alt: Enforce password change during user creation
+   :width: 400px
+
+.. raw:: html
+
+   <br>
+
+2. Enforce Password Change When Changing a User Password
+"""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+
+When an administrator changes a User’s password, CloudStack allows the
+administrator to **require the User to change the password on their next
+login**.
+
+**UI Flow:**
+
+#. Navigate to **Accounts → Users**.
+#. Open the required User details page.
+#. Select **Change Password**.
+#. Enable **User must change password at next login**.
+#. Change the password.
+
+.. figure:: /_static/images/enforce-password-change-on-update.png
+   :align: center
+   :alt: Enforce password change when updating user password
+   :width: 400px
+
+.. raw:: html
+
+   <br>
+
+3. Enforce Password Change Without Changing the Password (Quick Action)
+"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+
+Administrators can enforce a password change **without modifying the
+current password**.
+A **Quick Action** is available directly from the User details page.
+
+**UI Flow:**
+
+#. Navigate to **Accounts → Users**.
+#. Open the required User details page.
+#. Click **Force password reset** from the actions menu.
+#. Confirm the action.
+
+.. figure:: /_static/images/force-password-reset-quick-action.png
+   :align: center
+   :alt: Force password reset using quick action
+
+.. raw:: html
+
+   <br>
+
+User Login Experience
+^^^^^^^^^^^^^^^^^^^^^
+
+When enforcement is active, the User login flow is as follows:
+
+#. The User enters username, domain, and password.
+#. Authentication succeeds.
+#. The User is redirected to the **Change Password** page.
+#. The User must set a new password that complies with configured
+   password policies.
+#. Upon successful password update, normal access is granted.
+
+.. figure:: /_static/images/force-password-change-login.png
+   :align: center
+   :alt: User prompted to change password after login
+   :width: 400px
+
 Using API Key and Secret Key based Authentication
 -------------------------------------------------
 Users can generate API key and Secret key to directly access CloudStack APIs.