I assume that you were acquire the access token using the Resource Owner password credential flow.
When we create a user using Azure AD Graph REST, we can disable changing the password when users sign-in first time. Here is a example for your reference:
POST:https://graph.windows.net/xxxx.onmicrosoft.com/users?api-version=1.6
authorization: bearer {access_token}
content-type: application/json
{
"accountEnabled": true,
"displayName": "User7",
"mailNickname": "User7",
"passwordProfile": {
"password": "Test1234",
"forceChangePasswordNextLogin": false
},
"userPrincipalName": "[email protected]"
}
Then we can use the Resource Owner password credential flow to acquire the access token for this user like below(ensure the parameter was URL encoded if you send it directly):
POST:https://login.microsoftonline.com/xxxx.onmicrosoft.com/oauth2/token
resource=https%3A%2F%2Fgraph.windows.net&client_id={clientId}&grant_type=password&username={userName}&password=Test1234&client_secret={secret}
Then we can update the user's password using the access token above. And this Azure AD Graph REST require grant the permission Directory.AccessAsUser.All.
Update
The users have to change their password when they login the Azure AD(no mater the app developed by you or using the Azure portal) first time when you set forceChangePasswordNextLogin to true. Here is a figure for your reference:
Update2
And in this scenario, there is no need to redirect yourself, Azure AD will handle all of these for us. When the users try to login-in your app first time, after users enter the correct username/password it requires users to change their password. After users changing the password, it will redirect to your app automatically.
