Implement "force password change when the user authenticates"
As per https://support.apple.com/en-ca/guide/deployment/dep4d6a472a/web, Apple has an API for forcing a user password change. This is useful when updating password policy - passwords that met the old policy but no longer meet the new policy are not evaluated and forced to change. This setting, however, would make it so.
Ashley Harvey commented
Currently this has to be done by creating a custom profile via a utility other than Configurator (as of this writing). Upon pushing the "force password update" setting inside a profile and rebooting, the user is prompted for their new password. They can reuse their old password if it meets current password policies (including reuse settings); but must change it if not.
This is perfect except you have to create and push this custom profile. Then you have to manually remove the profile once you've (somehow) verified that people have had a chance to re-auth. I guess the easiest way is to wait a couple of weeks and then make sure uptimes on machines are less than the time you waited - meaning a reboot took place and presumably the user was presented. This is clunky and too manual.