Hi @Sim1S , my colleague @AmanpreetSingh-MSFT recently answered a thread here that I think could help you a lot. The most common reason for this issue is that usually that the password expiration is only applying to the cloud users or that PasswordNeverExpire
is set to True. Changing these settings will fix your users being able to log in after their passwords expire. And if this works it should eliminate the need for what you asked in questions 1 and 2. If it doesn't work for you please let me know and I can look into it more. If you're still curious about how you can accomplish what you asked please let me know and I can look into it and give you an answer :)
If this answer helped you please mark it as "Verified" so other users may reference it.
Thank you,
James