Before reporting an issue

• I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

No response

Describe the bug

After upgrading Keycloak from 26.4.0 to 26.6.1, temporary password reset no longer works correctly for users federated from Microsoft Active Directory via LDAP.

When resetting the password of an AD/LDAP federated user in the Admin Console with Temporary = ON, Keycloak accepts the change, but the user is not forced to update the password on next login.

The same operation still works as expected for local Keycloak users.

I also tested this via the Admin REST API. Setting requiredActions=["UPDATE_PASSWORD"] on the federated user returns 204 No Content, but after reading the user again, requiredActions is still empty.

This appears to be a regression, because the same setup and workflow worked correctly in Keycloak 26.4.0.

Version

26.6.1

Regression

• The issue is a regression

Expected behavior

Federated user should have UPDATE_PASSWORD required action, or AD pwdLastSet should be set to 0.

Actual behavior

Password is reset, but requiredActions remains empty.
User is not forced to update password at next login.

How to Reproduce?

1. Configure Microsoft AD user federation.
2. Import/sync AD user.
3. Open federated user in Admin Console.
4. Go to Credentials.
5. Set new password with Temporary = ON.
6. Save.
7. Reopen user or call Admin REST API.
8. requiredActions is empty.

Anything else?

Same operation works for local Keycloak users.
Admin REST PUT /users/{id} with requiredActions=["UPDATE_PASSWORD"] returns 204, but requiredActions remains empty.