For local account identities, password expirations must be disabled, and force change password at next sign-in must also be disabled
Why is force_change_password_next_sign_in required to be false? Surely a common scenario is to create a local account with a default password, then force that password to be changed on login?
I queried this with Microsoft support and got a response a few days later. Setting it to false is a best practice thing to reduce password resets and such. Not a technical limitation, at least in External ID B2B.