diff --git a/api/src/main/java/org/apache/cloudstack/api/ApiConstants.java b/api/src/main/java/org/apache/cloudstack/api/ApiConstants.java
index 8fca652518f2..5506cb82e294 100644
--- a/api/src/main/java/org/apache/cloudstack/api/ApiConstants.java
+++ b/api/src/main/java/org/apache/cloudstack/api/ApiConstants.java
@@ -1256,6 +1256,7 @@ public class ApiConstants {
     public static final String PROVIDER_FOR_2FA = "providerfor2fa";
     public static final String ISSUER_FOR_2FA = "issuerfor2fa";
     public static final String MANDATE_2FA = "mandate2fa";
+    public static final String PASSWORD_CHANGE_REQUIRED = "passwordchangerequired";
     public static final String SECRET_CODE = "secretcode";
     public static final String LOGIN = "login";
     public static final String LOGOUT = "logout";
diff --git a/api/src/main/java/org/apache/cloudstack/api/command/admin/user/UpdateUserCmd.java b/api/src/main/java/org/apache/cloudstack/api/command/admin/user/UpdateUserCmd.java
index 3d7f51ae2204..364f57443b01 100644
--- a/api/src/main/java/org/apache/cloudstack/api/command/admin/user/UpdateUserCmd.java
+++ b/api/src/main/java/org/apache/cloudstack/api/command/admin/user/UpdateUserCmd.java
@@ -29,6 +29,7 @@
 import org.apache.cloudstack.api.response.UserResponse;
 import org.apache.cloudstack.context.CallContext;
 import org.apache.cloudstack.region.RegionService;
+import org.apache.commons.lang.BooleanUtils;
 
 import com.cloud.user.Account;
 import com.cloud.user.User;
@@ -38,6 +39,8 @@
 requestHasSensitiveInfo = true, responseHasSensitiveInfo = true)
 public class UpdateUserCmd extends BaseCmd {
 
+    @Inject
+    private RegionService _regionService;
 
     /////////////////////////////////////////////////////
     //////////////// API parameters /////////////////////
@@ -85,8 +88,11 @@ public class UpdateUserCmd extends BaseCmd {
             "This parameter is only used to mandate 2FA, not to disable 2FA", since = "4.18.0.0")
     private Boolean mandate2FA;
 
-    @Inject
-    private RegionService _regionService;
+    @Parameter(name = ApiConstants.PASSWORD_CHANGE_REQUIRED,
+            type = CommandType.BOOLEAN,
+            description = "Provide true to mandate the User to reset password on next login.",
+            since = "4.23.0")
+    private Boolean passwordChangeRequired;
 
     /////////////////////////////////////////////////////
     /////////////////// Accessors ///////////////////////
@@ -193,4 +199,8 @@ public Long getApiResourceId() {
     public ApiCommandResourceType getApiResourceType() {
         return ApiCommandResourceType.User;
     }
+
+    public Boolean isPasswordChangeRequired() {
+        return BooleanUtils.isTrue(passwordChangeRequired);
+    }
 }
diff --git a/api/src/main/java/org/apache/cloudstack/api/response/LoginCmdResponse.java b/api/src/main/java/org/apache/cloudstack/api/response/LoginCmdResponse.java
index 43f92db84cb5..762764017693 100644
--- a/api/src/main/java/org/apache/cloudstack/api/response/LoginCmdResponse.java
+++ b/api/src/main/java/org/apache/cloudstack/api/response/LoginCmdResponse.java
@@ -90,6 +90,10 @@ public class LoginCmdResponse extends AuthenticationCmdResponse {
     @Param(description = "Management Server ID that the user logged to", since = "4.21.0.0")
     private String managementServerId;
 
+    @SerializedName(value = ApiConstants.PASSWORD_CHANGE_REQUIRED)
+    @Param(description = "Indicates whether the User is required to change password on next login.", since = "4.23.0")
+    private Boolean passwordChangeRequired;
+
     public String getUsername() {
         return username;
     }
@@ -223,4 +227,12 @@ public String getManagementServerId() {
     public void setManagementServerId(String managementServerId) {
         this.managementServerId = managementServerId;
     }
+
+    public Boolean getPasswordChangeRequired() {
+        return passwordChangeRequired;
+    }
+
+    public void setPasswordChangeRequired(String passwordChangeRequired) {
+        this.passwordChangeRequired = Boolean.parseBoolean(passwordChangeRequired);
+    }
 }
diff --git a/engine/schema/src/main/java/org/apache/cloudstack/resourcedetail/UserDetailVO.java b/engine/schema/src/main/java/org/apache/cloudstack/resourcedetail/UserDetailVO.java
index d0cfcc3d4396..4e7289dae128 100644
--- a/engine/schema/src/main/java/org/apache/cloudstack/resourcedetail/UserDetailVO.java
+++ b/engine/schema/src/main/java/org/apache/cloudstack/resourcedetail/UserDetailVO.java
@@ -48,6 +48,7 @@ public class UserDetailVO implements ResourceDetail {
     public static final String Setup2FADetail = "2FASetupStatus";
     public static final String PasswordResetToken = "PasswordResetToken";
     public static final String PasswordResetTokenExpiryDate = "PasswordResetTokenExpiryDate";
+    public static final String PasswordChangeRequired = "PasswordChangeRequired";
 
     public UserDetailVO() {
     }
diff --git a/plugins/api/discovery/src/main/java/org/apache/cloudstack/discovery/ApiDiscoveryServiceImpl.java b/plugins/api/discovery/src/main/java/org/apache/cloudstack/discovery/ApiDiscoveryServiceImpl.java
index 452b95cf2c05..db274e3575f1 100644
--- a/plugins/api/discovery/src/main/java/org/apache/cloudstack/discovery/ApiDiscoveryServiceImpl.java
+++ b/plugins/api/discovery/src/main/java/org/apache/cloudstack/discovery/ApiDiscoveryServiceImpl.java
@@ -44,8 +44,10 @@
 import org.apache.cloudstack.api.response.ApiParameterResponse;
 import org.apache.cloudstack.api.response.ApiResponseResponse;
 import org.apache.cloudstack.api.response.ListResponse;
+import org.apache.cloudstack.resourcedetail.UserDetailVO;
 import org.apache.cloudstack.utils.reflectiontostringbuilderutils.ReflectionToStringBuilderUtils;
 import org.apache.commons.collections.CollectionUtils;
+import org.apache.commons.collections.MapUtils;
 import org.apache.commons.lang3.StringUtils;
 import org.reflections.ReflectionUtils;
 import org.springframework.stereotype.Component;
@@ -55,6 +57,7 @@
 import com.cloud.user.Account;
 import com.cloud.user.AccountService;
 import com.cloud.user.User;
+import com.cloud.user.UserAccount;
 import com.cloud.utils.ReflectUtil;
 import com.cloud.utils.component.ComponentLifecycleBase;
 import com.cloud.utils.component.PluggableService;
@@ -66,6 +69,7 @@ public class ApiDiscoveryServiceImpl extends ComponentLifecycleBase implements A
     List<APIChecker> _apiAccessCheckers = null;
     List<PluggableService> _services = null;
     protected static Map<String, ApiDiscoveryResponse> s_apiNameDiscoveryResponseMap = null;
+    public static final List<String> APIS_ALLOWED_FOR_PASSWORD_CHANGE = Arrays.asList("login", "logout", "updateUser", "listApis");
 
     @Inject
     AccountService accountService;
@@ -280,12 +284,19 @@ public ListResponse<? extends BaseResponse> listApis(User user, String name) {
                         ReflectionToStringBuilderUtils.reflectOnlySelectedFields(account, "accountName", "uuid")));
             }
 
-            if (role.getRoleType() == RoleType.Admin && role.getId() == RoleType.Admin.getId()) {
-                logger.info(String.format("Account [%s] is Root Admin, all APIs are allowed.",
-                        ReflectionToStringBuilderUtils.reflectOnlySelectedFields(account, "accountName", "uuid")));
+            // Limit APIs on first login requiring password change
+            UserAccount userAccount = accountService.getUserAccountById(user.getId());
+            Map<String, String> userAccDetails = userAccount.getDetails();
+            if (MapUtils.isNotEmpty(userAccDetails) && "true".equalsIgnoreCase(userAccDetails.get(UserDetailVO.PasswordChangeRequired))) {
+                apisAllowed = APIS_ALLOWED_FOR_PASSWORD_CHANGE;
             } else {
-                for (APIChecker apiChecker : _apiAccessCheckers) {
-                    apisAllowed = apiChecker.getApisAllowedToUser(role, user, apisAllowed);
+                if (role.getRoleType() == RoleType.Admin && role.getId() == RoleType.Admin.getId()) {
+                    logger.info(String.format("Account [%s] is Root Admin, all APIs are allowed.",
+                            ReflectionToStringBuilderUtils.reflectOnlySelectedFields(account, "accountName", "uuid")));
+                } else {
+                    for (APIChecker apiChecker : _apiAccessCheckers) {
+                        apisAllowed = apiChecker.getApisAllowedToUser(role, user, apisAllowed);
+                    }
                 }
             }
 
diff --git a/plugins/api/discovery/src/test/java/org/apache/cloudstack/discovery/ApiDiscoveryTest.java b/plugins/api/discovery/src/test/java/org/apache/cloudstack/discovery/ApiDiscoveryTest.java
index eea78d8abb93..d33774cad031 100644
--- a/plugins/api/discovery/src/test/java/org/apache/cloudstack/discovery/ApiDiscoveryTest.java
+++ b/plugins/api/discovery/src/test/java/org/apache/cloudstack/discovery/ApiDiscoveryTest.java
@@ -21,6 +21,8 @@
 import com.cloud.user.AccountService;
 import com.cloud.user.AccountVO;
 import com.cloud.user.User;
+import com.cloud.user.UserAccount;
+import com.cloud.user.UserAccountVO;
 import com.cloud.user.UserVO;
 
 import org.apache.cloudstack.acl.APIChecker;
@@ -29,6 +31,8 @@
 import org.apache.cloudstack.acl.RoleType;
 import org.apache.cloudstack.acl.RoleVO;
 import org.apache.cloudstack.api.response.ApiDiscoveryResponse;
+import org.apache.cloudstack.api.response.ListResponse;
+import org.junit.Assert;
 import org.junit.Before;
 import org.junit.Test;
 import org.junit.runner.RunWith;
@@ -39,11 +43,15 @@
 import org.mockito.junit.MockitoJUnitRunner;
 
 import java.util.Arrays;
+import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
 
+import static org.apache.cloudstack.resourcedetail.UserDetailVO.PasswordChangeRequired;
+import static org.apache.cloudstack.resourcedetail.UserDetailVO.Setup2FADetail;
 import static org.mockito.ArgumentMatchers.any;
 import static org.mockito.ArgumentMatchers.anyList;
+import static org.mockito.ArgumentMatchers.anyLong;
 
 @RunWith(MockitoJUnitRunner.class)
 public class ApiDiscoveryTest {
@@ -66,12 +74,17 @@ public class ApiDiscoveryTest {
     @InjectMocks
     ApiDiscoveryServiceImpl discoveryServiceSpy;
 
+    @Mock
+    UserAccount mockUserAccount;
+
     @Before
     public void setup() {
         discoveryServiceSpy.s_apiNameDiscoveryResponseMap = apiNameDiscoveryResponseMapMock;
         discoveryServiceSpy._apiAccessCheckers = apiAccessCheckersMock;
 
         Mockito.when(discoveryServiceSpy._apiAccessCheckers.iterator()).thenReturn(Arrays.asList(apiCheckerMock).iterator());
+        Mockito.when(mockUserAccount.getDetails()).thenReturn(null);
+        Mockito.when(accountServiceMock.getUserAccountById(anyLong())).thenReturn(mockUserAccount);
     }
 
     private User getTestUser() {
@@ -131,4 +144,29 @@ public void listApisTestGetsApisAllowedToUserOnUserRole() throws PermissionDenie
 
         Mockito.verify(apiCheckerMock, Mockito.times(1)).getApisAllowedToUser(any(Role.class), any(User.class), anyList());
     }
+
+    @Test
+    public void listApisForUserWithoutEnforcedPwdChange() throws PermissionDeniedException {
+        RoleVO userRoleVO = new RoleVO(4L, "name", RoleType.User, "description");
+        Map<String, String> userDetails = new HashMap<>();
+        userDetails.put(Setup2FADetail, UserAccountVO.Setup2FAstatus.ENABLED.name());
+        Mockito.when(mockUserAccount.getDetails()).thenReturn(userDetails);
+        Mockito.when(accountServiceMock.getAccount(Mockito.anyLong())).thenReturn(getNormalAccount());
+        Mockito.when(roleServiceMock.findRole(Mockito.anyLong())).thenReturn(userRoleVO);
+        discoveryServiceSpy.listApis(getTestUser(), null);
+        Mockito.verify(apiCheckerMock, Mockito.times(1)).getApisAllowedToUser(any(Role.class), any(User.class), anyList());
+    }
+
+    @Test
+    public void listApisForUserEnforcedPwdChange() throws PermissionDeniedException {
+        RoleVO userRoleVO = new RoleVO(4L, "name", RoleType.User, "description");
+        Map<String, String> userDetails = new HashMap<>();
+        userDetails.put(PasswordChangeRequired, "true");
+        Mockito.when(mockUserAccount.getDetails()).thenReturn(userDetails);
+        Mockito.when(accountServiceMock.getAccount(Mockito.anyLong())).thenReturn(getNormalAccount());
+        Mockito.when(roleServiceMock.findRole(Mockito.anyLong())).thenReturn(userRoleVO);
+        Mockito.when(apiNameDiscoveryResponseMapMock.get(Mockito.anyString())).thenReturn(Mockito.mock(ApiDiscoveryResponse.class));
+        ListResponse<ApiDiscoveryResponse> response = (ListResponse<ApiDiscoveryResponse>) discoveryServiceSpy.listApis(getTestUser(), null);
+        Assert.assertEquals(4, response.getResponses().size());
+    }
 }
diff --git a/server/src/main/java/com/cloud/api/ApiServer.java b/server/src/main/java/com/cloud/api/ApiServer.java
index 5a3c8c2c7179..f1fe6d964027 100644
--- a/server/src/main/java/com/cloud/api/ApiServer.java
+++ b/server/src/main/java/com/cloud/api/ApiServer.java
@@ -116,9 +116,11 @@
 import org.apache.cloudstack.framework.messagebus.MessageDispatcher;
 import org.apache.cloudstack.framework.messagebus.MessageHandler;
 import org.apache.cloudstack.managed.context.ManagedContextRunnable;
+import org.apache.cloudstack.resourcedetail.UserDetailVO;
 import org.apache.cloudstack.user.UserPasswordResetManager;
 import org.apache.cloudstack.utils.identity.ManagementServerNode;
 import org.apache.commons.codec.binary.Base64;
+import org.apache.commons.collections.MapUtils;
 import org.apache.commons.lang3.EnumUtils;
 import org.apache.http.ConnectionClosedException;
 import org.apache.http.HttpException;
@@ -194,6 +196,7 @@
 import com.google.gson.reflect.TypeToken;
 
 import static com.cloud.user.AccountManagerImpl.apiKeyAccess;
+import static org.apache.cloudstack.api.ApiConstants.PASSWORD_CHANGE_REQUIRED;
 import static org.apache.cloudstack.user.UserPasswordResetManager.UserPasswordResetEnabled;
 
 @Component
@@ -1227,6 +1230,9 @@ private ResponseObject createLoginResponse(HttpSession session) {
                 if (ApiConstants.MANAGEMENT_SERVER_ID.equalsIgnoreCase(attrName)) {
                     response.setManagementServerId(attrObj.toString());
                 }
+                if (PASSWORD_CHANGE_REQUIRED.equalsIgnoreCase(attrName)) {
+                    response.setPasswordChangeRequired(attrObj.toString());
+                }
             }
         }
         response.setResponseName("loginresponse");
@@ -1327,6 +1333,13 @@ public ResponseObject loginUser(final HttpSession session, final String username
             final String sessionKey = Base64.encodeBase64URLSafeString(sessionKeyBytes);
             session.setAttribute(ApiConstants.SESSIONKEY, sessionKey);
 
+            Map<String, String> userAccDetails = userAcct.getDetails();
+            if (MapUtils.isNotEmpty(userAccDetails)) {
+                String needPwdChangeStr = userAccDetails.get(UserDetailVO.PasswordChangeRequired);
+                if ("true".equalsIgnoreCase(needPwdChangeStr)) {
+                    session.setAttribute(PASSWORD_CHANGE_REQUIRED, true);
+                }
+            }
             return createLoginResponse(session);
         }
         throw new CloudAuthenticationException("Failed to authenticate user " + username + " in domain " + domainId + "; please provide valid credentials");
diff --git a/server/src/main/java/com/cloud/user/AccountManagerImpl.java b/server/src/main/java/com/cloud/user/AccountManagerImpl.java
index bbfc8fd36826..f4b27fcf87b3 100644
--- a/server/src/main/java/com/cloud/user/AccountManagerImpl.java
+++ b/server/src/main/java/com/cloud/user/AccountManagerImpl.java
@@ -16,6 +16,8 @@
 // under the License.
 package com.cloud.user;
 
+import static org.apache.cloudstack.resourcedetail.UserDetailVO.PasswordChangeRequired;
+
 import java.net.InetAddress;
 import java.net.URLEncoder;
 import java.security.NoSuchAlgorithmException;
@@ -1580,9 +1582,28 @@ public UserAccount updateUser(UpdateUserCmd updateUserCmd) {
             user.setUser2faEnabled(true);
         }
         _userDao.update(user.getId(), user);
+        updatePasswordChangeRequired(caller, updateUserCmd, user);
         return _userAccountDao.findById(user.getId());
     }
 
+    private void updatePasswordChangeRequired(User caller, UpdateUserCmd updateUserCmd, UserVO user) {
+        if (StringUtils.isNotBlank(updateUserCmd.getPassword())) {
+            boolean isCallerSameAsUser = user.getId() == caller.getId();
+            boolean isPasswordResetRequired = updateUserCmd.isPasswordChangeRequired() && !isCallerSameAsUser;
+            // Admins only can enforce passwordChangeRequired for user
+            if (isRootAdmin(caller.getAccountId()) || isDomainAdmin(caller.getAccountId())) {
+                if (isPasswordResetRequired) {
+                    _userDetailsDao.addDetail(user.getId(), PasswordChangeRequired, "true", false);
+                }
+            }
+
+            // Remove passwordChangeRequired if user updating own pwd or admin has not enforced it
+            if (isCallerSameAsUser || !isPasswordResetRequired) {
+                _userDetailsDao.removeDetail(user.getId(), PasswordChangeRequired);
+            }
+        }
+    }
+
     @Override
     public void verifyCallerPrivilegeForUserOrAccountOperations(Account userAccount) {
         logger.debug(String.format("Verifying whether the caller has the correct privileges based on the user's role type and API permissions: %s", userAccount));
@@ -2841,6 +2862,8 @@ public UserAccount authenticateUser(final String username, final String password
                 logger.debug(String.format("User: %s in domain %d has successfully logged in, auth time duration - %d ms", username, domainId, validUserLastAuthTimeDurationInMs));
             }
 
+            user.setDetails(_userDetailsDao.listDetailsKeyPairs(user.getId()));
+
             return user;
         } else {
             if (logger.isDebugEnabled()) {
diff --git a/server/src/main/java/org/apache/cloudstack/user/UserPasswordResetManagerImpl.java b/server/src/main/java/org/apache/cloudstack/user/UserPasswordResetManagerImpl.java
index 618ad5c86572..844f452de470 100644
--- a/server/src/main/java/org/apache/cloudstack/user/UserPasswordResetManagerImpl.java
+++ b/server/src/main/java/org/apache/cloudstack/user/UserPasswordResetManagerImpl.java
@@ -48,6 +48,7 @@
 import java.util.Set;
 import java.util.UUID;
 
+import static org.apache.cloudstack.resourcedetail.UserDetailVO.PasswordChangeRequired;
 import static org.apache.cloudstack.resourcedetail.UserDetailVO.PasswordResetToken;
 import static org.apache.cloudstack.resourcedetail.UserDetailVO.PasswordResetTokenExpiryDate;
 
@@ -247,6 +248,8 @@ void resetPassword(UserAccount userAccount, String password) {
 
         userDetailsDao.removeDetail(userAccount.getId(), PasswordResetToken);
         userDetailsDao.removeDetail(userAccount.getId(), PasswordResetTokenExpiryDate);
+        // remove password change required if user reset password
+        userDetailsDao.removeDetail(userAccount.getId(), PasswordChangeRequired);
 
         userDao.persist(user);
     }
diff --git a/server/src/test/java/com/cloud/user/AccountManagerImplTest.java b/server/src/test/java/com/cloud/user/AccountManagerImplTest.java
index 846d8cdc989b..bafe380bb26e 100644
--- a/server/src/test/java/com/cloud/user/AccountManagerImplTest.java
+++ b/server/src/test/java/com/cloud/user/AccountManagerImplTest.java
@@ -432,6 +432,19 @@ public void updateUserTestTimeZoneAndEmailNotNull() {
         prepareMockAndExecuteUpdateUserTest(1);
     }
 
+    @Test
+    public void updateUserTestPwdChange() {
+        Mockito.doReturn(true).when(UpdateUserCmdMock).isPasswordChangeRequired();
+        Mockito.when(userVoMock.getAccountId()).thenReturn(10L);
+        Mockito.doReturn(accountMock).when(accountManagerImpl).getAccount(10L);
+        Mockito.when(accountMock.getAccountId()).thenReturn(10L);
+        Mockito.doReturn(false).when(accountManagerImpl).isRootAdmin(10L);
+        Mockito.lenient().when(accountManagerImpl.getRoleType(Mockito.eq(accountMock))).thenReturn(RoleType.User);
+        Mockito.when(callingUser.getAccountId()).thenReturn(1L);
+        Mockito.doReturn(true).when(accountManagerImpl).isRootAdmin(1L);
+        prepareMockAndExecuteUpdateUserTest(0);
+    }
+
     private void prepareMockAndExecuteUpdateUserTest(int numberOfExpectedCallsForSetEmailAndSetTimeZone) {
         Mockito.doReturn("password").when(UpdateUserCmdMock).getPassword();
         Mockito.doReturn("newpassword").when(UpdateUserCmdMock).getCurrentPassword();
diff --git a/ui/public/locales/en.json b/ui/public/locales/en.json
index 028406bbc682..7a284bd7a8cc 100644
--- a/ui/public/locales/en.json
+++ b/ui/public/locales/en.json
@@ -527,6 +527,7 @@
 "label.change.ipaddress": "Change IP address for NIC",
 "label.change.disk.offering": "Change disk offering",
 "label.change.offering.for.volume": "Change disk offering for the volume",
+"label.change.password.onlogin": "User must change password at next login",
 "label.change.service.offering": "Change service offering",
 "label.character": "Character",
 "label.checksum": "Checksum",
@@ -3123,6 +3124,7 @@
 "message.change.offering.for.volume.failed": "Change offering for the volume failed",
 "message.change.offering.for.volume.processing": "Changing offering for the volume...",
 "message.change.password": "Please change your password.",
+"message.change.password.required": "You are required to change your password.",
 "message.change.scope.failed": "Scope change failed",
 "message.change.scope.processing": "Scope change in progress",
 "message.change.service.offering.sharedfs.failed": "Failed to change service offering for the Shared FileSystem.",
@@ -3368,6 +3370,7 @@
 "message.error.apply.tungsten.tag": "Applying Tag failed",
 "message.error.binaries.iso.url": "Please enter binaries ISO URL.",
 "message.error.bucket": "Please enter bucket",
+"message.error.change.password": "Failed to change password.",
 "message.error.cidr": "CIDR is required",
 "message.error.cidr.or.cidrsize": "CIDR or cidr size is required",
 "message.error.cloudian.console": "Single-Sign-On failed for Cloudian management console. Please ask your administrator to fix integration issues.",
@@ -3671,6 +3674,7 @@
 "message.please.confirm.remove.user.data": "Please confirm that you want to remove this User Data",
 "message.please.enter.valid.value": "Please enter a valid value.",
 "message.please.enter.value": "Please enter values.",
+"message.please.login.new.password": "Please log in again with your new password",
 "message.please.wait.while.autoscale.vmgroup.is.being.created": "Please wait while your AutoScaling Group is being created; this may take a while...",
 "message.please.wait.while.zone.is.being.created": "Please wait while your Zone is being created; this may take a while...",
 "message.pod.dedicated": "Pod dedicated.",
diff --git a/ui/src/config/router.js b/ui/src/config/router.js
index 582fbaaf2f35..5300385eeac7 100644
--- a/ui/src/config/router.js
+++ b/ui/src/config/router.js
@@ -313,6 +313,11 @@ export const constantRouterMap = [
         path: 'resetPassword',
         name: 'resetPassword',
         component: () => import(/* webpackChunkName: "auth" */ '@/views/auth/ResetPassword')
+      },
+      {
+        path: 'forceChangePassword',
+        name: 'forceChangePassword',
+        component: () => import(/* webpackChunkName: "auth" */ '@/views/iam/ForceChangePassword')
       }
     ]
   },
diff --git a/ui/src/permission.js b/ui/src/permission.js
index 266dc992c8db..671d6626b931 100644
--- a/ui/src/permission.js
+++ b/ui/src/permission.js
@@ -94,6 +94,16 @@ router.beforeEach((to, from, next) => {
         }
         store.commit('SET_LOGIN_FLAG', true)
       }
+      // store already loaded
+      if (store.getters.passwordChangeRequired) {
+        if (to.path === '/user/forceChangePassword') {
+          next()
+        } else {
+          next({ path: '/user/forceChangePassword' })
+          NProgress.done()
+        }
+        return
+      }
       if (Object.keys(store.getters.apis).length === 0) {
         const cachedApis = vueProps.$localStorage.get(APIS, {})
         if (Object.keys(cachedApis).length > 0) {
@@ -102,6 +112,19 @@ router.beforeEach((to, from, next) => {
         store
           .dispatch('GetInfo')
           .then(apis => {
+            // Essential for Page Refresh scenarios
+            if (store.getters.passwordChangeRequired) {
+              // Only allow the Change Password page
+              if (to.path === '/user/forceChangePassword') {
+                next()
+              } else {
+                // Redirect everything else (including dashboard, wildcards) to Change Password
+                next({ path: '/user/forceChangePassword' })
+                NProgress.done()
+              }
+              return
+            }
+
             store.dispatch('GenerateRoutes', { apis }).then(() => {
               store.getters.addRouters.map(route => {
                 router.addRoute(route)
diff --git a/ui/src/store/getters.js b/ui/src/store/getters.js
index 911234d9b715..c7ab2f0c536b 100644
--- a/ui/src/store/getters.js
+++ b/ui/src/store/getters.js
@@ -55,7 +55,8 @@ const getters = {
   loginFlag: state => state.user.loginFlag,
   allProjects: (state) => state.app.allProjects,
   customHypervisorName: state => state.user.customHypervisorName,
-  readyForShutdownPollingJob: state => state.user.readyForShutdownPollingJob
+  readyForShutdownPollingJob: state => state.user.readyForShutdownPollingJob,
+  passwordChangeRequired: state => state.user.passwordChangeRequired
 }
 
 export default getters
diff --git a/ui/src/store/modules/user.js b/ui/src/store/modules/user.js
index 2c0edf656d73..a71c3378e26c 100644
--- a/ui/src/store/modules/user.js
+++ b/ui/src/store/modules/user.js
@@ -44,7 +44,8 @@ import {
   MS_ID,
   OAUTH_DOMAIN,
   OAUTH_PROVIDER,
-  LATEST_CS_VERSION
+  LATEST_CS_VERSION,
+  PASSWORD_CHANGE_REQUIRED
 } from '@/store/mutation-types'
 
 import {
@@ -80,7 +81,8 @@ const user = {
     twoFaProvider: '',
     twoFaIssuer: '',
     customHypervisorName: 'Custom',
-    readyForShutdownPollingJob: ''
+    readyForShutdownPollingJob: '',
+    passwordChangeRequired: false
   },
 
   mutations: {
@@ -196,6 +198,14 @@ const user = {
         vueProps.$localStorage.set(LATEST_CS_VERSION, version)
         state.latestVersion = version
       }
+    },
+    SET_PASSWORD_CHANGE_REQUIRED: (state, required) => {
+      state.passwordChangeRequired = required
+      if (required) {
+        vueProps.$localStorage.set(PASSWORD_CHANGE_REQUIRED, true)
+      } else {
+        vueProps.$localStorage.remove(PASSWORD_CHANGE_REQUIRED)
+      }
     }
   },
 
@@ -244,6 +254,13 @@ const user = {
           if (result && result.managementserverid) {
             commit('SET_MS_ID', result.managementserverid)
           }
+          if (result.passwordchangerequired) {
+            commit('SET_PASSWORD_CHANGE_REQUIRED', true)
+            commit('SET_APIS', {})
+            vueProps.$localStorage.remove(APIS)
+          } else {
+            commit('SET_PASSWORD_CHANGE_REQUIRED', false)
+          }
           const latestVersion = vueProps.$localStorage.get(LATEST_CS_VERSION, { version: '', fetchedTs: 0 })
           commit('SET_LATEST_VERSION', latestVersion)
           notification.destroy()
@@ -323,6 +340,15 @@ const user = {
         commit('SET_DOMAIN_STORE', domainStore)
         commit('SET_DARK_MODE', darkMode)
         commit('SET_LATEST_VERSION', latestVersion)
+
+        // This block is to enforce password change for first time login after admin resets password
+        const isPwdChangeRequired = vueProps.$localStorage.get(PASSWORD_CHANGE_REQUIRED)
+        commit('SET_PASSWORD_CHANGE_REQUIRED', isPwdChangeRequired)
+        if (isPwdChangeRequired) {
+          resolve()
+          return
+        }
+
         if (hasAuth) {
           console.log('Login detected, using cached APIs')
           commit('SET_ZONES', cachedZones)
@@ -485,6 +511,8 @@ const user = {
         vueProps.$localStorage.remove(ACCESS_TOKEN)
         vueProps.$localStorage.remove(HEADER_NOTICES)
 
+        commit('SET_PASSWORD_CHANGE_REQUIRED', false)
+
         logout(state.token).then(() => {
           message.destroy()
           if (cloudianUrl) {
diff --git a/ui/src/store/mutation-types.js b/ui/src/store/mutation-types.js
index 0b1f921ab86e..5fc2cd74d213 100644
--- a/ui/src/store/mutation-types.js
+++ b/ui/src/store/mutation-types.js
@@ -43,6 +43,7 @@ export const RELOAD_ALL_PROJECTS = 'RELOAD_ALL_PROJECTS'
 export const MS_ID = 'MS_ID'
 export const OAUTH_DOMAIN = 'OAUTH_DOMAIN'
 export const OAUTH_PROVIDER = 'OAUTH_PROVIDER'
+export const PASSWORD_CHANGE_REQUIRED = 'PASSWORD_CHANGE_REQUIRED'
 
 export const CONTENT_WIDTH_TYPE = {
   Fluid: 'Fluid',
diff --git a/ui/src/views/iam/ChangeUserPassword.vue b/ui/src/views/iam/ChangeUserPassword.vue
index d5c52b8f637e..f736557289c7 100644
--- a/ui/src/views/iam/ChangeUserPassword.vue
+++ b/ui/src/views/iam/ChangeUserPassword.vue
@@ -49,6 +49,11 @@
             v-model:value="form.confirmpassword"
             :placeholder="$t('label.confirmpassword.description')"/>
         </a-form-item>
+        <a-form-item v-if="isAdminOrDomainAdmin() && isCallerNotSameAsUser()" name="passwordChangeRequired" ref="passwordChangeRequired">
+            <a-checkbox v-model:checked="form.passwordChangeRequired">
+              {{ $t('label.change.password.onlogin') }}
+            </a-checkbox>
+        </a-form-item>
 
         <div :span="24" class="action-button">
           <a-button @click="closeAction">{{ $t('label.cancel') }}</a-button>
@@ -102,6 +107,11 @@ export default {
     isAdminOrDomainAdmin () {
       return ['Admin', 'DomainAdmin'].includes(this.$store.getters.userInfo.roletype)
     },
+    isCallerNotSameAsUser () {
+      const userId = this.$store.getters.userInfo.id
+      const resourceId = this.resource?.id ?? null
+      return userId !== resourceId
+    },
     isValidValueForKey (obj, key) {
       return key in obj && obj[key] != null
     },
@@ -134,6 +144,10 @@ export default {
         if (this.isValidValueForKey(values, 'currentpassword') && values.currentpassword.length > 0) {
           params.currentpassword = values.currentpassword
         }
+
+        if (this.isAdminOrDomainAdmin() && values.passwordChangeRequired === true) {
+          params.passwordchangerequired = values.passwordChangeRequired
+        }
         postAPI('updateUser', params).then(json => {
           this.$notification.success({
             message: this.$t('label.action.change.password'),
diff --git a/ui/src/views/iam/ForceChangePassword.vue b/ui/src/views/iam/ForceChangePassword.vue
new file mode 100644
index 000000000000..b2c5f7110f42
--- /dev/null
+++ b/ui/src/views/iam/ForceChangePassword.vue
@@ -0,0 +1,269 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+<template>
+  <div class="user-layout-wrapper">
+    <div class="container">
+      <div class="user-layout-content">
+        <a-card :bordered="false" class="force-password-card">
+          <template #title>
+            <div style="text-align: center; font-size: 18px; font-weight: bold;">
+              {{ $t('label.action.change.password') }}
+            </div>
+            <div v-if="!isSubmitted" style="text-align: center; font-size: 14px; color: #666; margin-top: 5px;">
+              {{ $t('message.change.password.required') }}
+            </div>
+          </template>
+          <a-spin :spinning="loading">
+          <div v-if="isSubmitted" class="success-state">
+            <check-outlined class="success-icon" />
+            <div class="success-text">
+              {{ $t('message.success.change.password') }}
+            </div>
+            <div class="success-subtext">
+               {{ $t('message.please.login.new.password') }}
+            </div>
+            <a-button
+              type="primary"
+              size="large"
+              block
+              @click="redirectToLogin()"
+              style="margin-top: 20px;"
+            >
+              {{ $t('label.login') }}
+            </a-button>
+          </div>
+
+          <a-form
+            v-else
+            :ref="formRef"
+            :model="form"
+            :rules="rules"
+            layout="vertical"
+            @finish="handleSubmit"
+            v-ctrl-enter="handleSubmit"
+          >
+            <a-form-item name="currentpassword" :label="$t('label.currentpassword')">
+              <a-input-password
+                v-model:value="form.currentpassword"
+                :placeholder="$t('label.currentpassword')"
+                size="large"
+                v-focus="true"
+              />
+            </a-form-item>
+
+            <a-form-item name="password" :label="$t('label.new.password')">
+              <a-input-password
+                v-model:value="form.password"
+                :placeholder="$t('label.new.password')"
+                size="large"
+              />
+            </a-form-item>
+
+            <a-form-item name="confirmpassword" :label="$t('label.confirmpassword')">
+              <a-input-password
+                v-model:value="form.confirmpassword"
+                :placeholder="$t('label.confirmpassword')"
+                size="large"
+              />
+            </a-form-item>
+
+            <a-form-item>
+              <a-button
+                type="primary"
+                size="large"
+                block
+                :loading="loading"
+                @click="handleSubmit"
+              >
+                {{ $t('label.ok') }}
+              </a-button>
+            </a-form-item>
+
+            <div class="actions">
+              <a @click="logoutAndRedirectToLogin()">{{ $t('label.logout') }}</a>
+            </div>
+          </a-form>
+          </a-spin>
+        </a-card>
+      </div>
+    </div>
+  </div>
+</template>
+
+<script>
+import { ref, reactive, toRaw } from 'vue'
+import { postAPI } from '@/api'
+import Cookies from 'js-cookie'
+import { PASSWORD_CHANGE_REQUIRED } from '@/store/mutation-types'
+
+export default {
+  name: 'ForceChangePassword',
+  data () {
+    return {
+      loading: false,
+      isSubmitted: false
+    }
+  },
+  created () {
+    this.formRef = ref()
+    this.form = reactive({})
+    this.isPasswordChangeRequired()
+  },
+  computed: {
+    rules () {
+      return {
+        currentpassword: [{ required: true, message: this.$t('message.error.current.password') }],
+        password: [{ required: true, message: this.$t('message.error.new.password') }],
+        confirmpassword: [
+          { required: true, message: this.$t('message.error.confirm.password') },
+          { validator: this.validateTwoPassword, trigger: 'change' }
+        ]
+      }
+    }
+  },
+  methods: {
+    async validateTwoPassword (rule, value) {
+      if (!value || value.length === 0) {
+        return Promise.resolve()
+      } else if (rule.field === 'confirmpassword') {
+        const form = this.form
+        const messageConfirm = this.$t('message.validate.equalto')
+        const passwordVal = form.password
+        if (passwordVal && passwordVal !== value) {
+          return Promise.reject(messageConfirm)
+        } else {
+          return Promise.resolve()
+        }
+      } else {
+        return Promise.resolve()
+      }
+    },
+    handleSubmit (e) {
+      e.preventDefault()
+      if (this.loading) return
+      this.formRef.value.validate().then(() => {
+        this.loading = true
+        const values = toRaw(this.form)
+        const userId = Cookies.get('userid')
+
+        const params = {
+          id: userId,
+          password: values.password,
+          currentpassword: values.currentpassword
+        }
+        postAPI('updateUser', params).then(() => {
+          this.$localStorage.remove(PASSWORD_CHANGE_REQUIRED)
+          this.handleLogout()
+          this.isSubmitted = true
+        }).catch(error => {
+          console.error(error)
+          this.$message.error(this.$t('message.error.change.password'))
+        }).finally(() => {
+          this.loading = false
+        })
+      }).catch(error => {
+        console.log('Validation failed:', error)
+      })
+    },
+    async handleLogout () {
+      try {
+        await this.$store.dispatch('Logout')
+      } catch (e) {
+        console.error('Logout failed:', e)
+      } finally {
+        Cookies.remove('userid')
+        Cookies.remove('token')
+      }
+    },
+    redirectToLogin () {
+      this.$router.replace('/user/login')
+    },
+    logoutAndRedirectToLogin () {
+      this.handleLogout().then(() => {
+        this.redirectToLogin()
+      })
+    },
+    async isPasswordChangeRequired () {
+      const passwordChangeRequired = this.$localStorage.get(PASSWORD_CHANGE_REQUIRED)
+      this.isSubmitted = !passwordChangeRequired
+    }
+  }
+}
+</script>
+
+<style scoped lang="less">
+.user-layout-wrapper {
+  display: flex;
+  justify-content: center;
+  align-items: center;
+
+  .container {
+    width: 100%;
+    padding: 16px;
+
+    .user-layout-content {
+      display: flex;
+      justify-content: center;
+
+      .force-password-card {
+        width: 100%;
+        max-width: 420px;
+        border-radius: 8px;
+        box-shadow: 0 6px 16px rgba(0, 0, 0, 0.08);
+      }
+    }
+  }
+}
+
+.actions {
+  text-align: center;
+  margin-top: 16px;
+
+  a {
+    color: #1890ff;
+    transition: color 0.3s;
+
+    &:hover {
+      color: #40a9ff;
+    }
+  }
+}
+
+.success-state {
+  text-align: center;
+  padding: 20px 0;
+
+  .success-icon {
+    font-size: 48px;
+    color: #52c41a;
+    margin-bottom: 16px;
+  }
+
+  .success-text {
+    font-size: 20px;
+    font-weight: 500;
+    color: #333;
+    margin-bottom: 8px;
+  }
+
+  .success-subtext {
+    font-size: 14px;
+    color: #666;
+  }
+}
+</style>