The information of "change password in next logon" is not just a flag or attribuite... it is a mix of both " Pwd-Last-Set attribute   (...) If this value is set to 0 and the User-Account-Control attribute does not contain the UF_DONT_EXPIRE_PASSWD flag, then the user must set the password at the next logon. " in this microsoft article.   In Radius (here my knowlegde is very limited) you have other code/message to inform the client (in this case, the SA) the user must change the password:   4. New Messages (...) 32 Password Expired   in RFC2882     So in order to all this works, should be something like   Radius Client send user credentials to Radius Server Radius Server check via ldap the credentials of the user and if Pwd-Last-Set attribute is 0 and User-Account-Control has  UF_DONT_EXPIRE_PASSWD flag if true, Radius Server send to radius Cliente the attribute/message 32 to the password be changed.   In comercial products, they implement this... check in freeradius if they do this out-of-box or if you need to code this.   ... View more

The easiest and cleanest option is to use Radius if the SMS auth app supports standard Radius (so SA will be a Radius Client and your App/Backend the Radius Server)   Other options: 1. If your app supports SAML then it can become the identity provider and  SA the consumer (service provider). This will be  a SSO type intergation.  ... View more