As new NIST publications come out and organizations adopt the new requirements of the NIST publication, existing accounts need to be brought into compliance. In reading the Esri Support FAQ, it states that members of an ArcGIS Online organization are not required to update their passwords upon logging in after an organization's password policy change. This poses a compliance issue for organizations to ensure that their accounts are complying with the new NIST requirements.
My idea is that upon saving changes to the Password Policy, Administrators be asked the question of whether or not they would like all non-compliant users to be forced to change their password to a compliant password at next login. This would give organizations the assurance that they need to ensure that users are complying with the new password policy.
