APM - Do not send OTP if AD password needs changing
I have a virtual LTM-APM sitting front of a SharePoint 2019 deployment. We have an APM policy attached to the VIPs which authenticates users and then sends an OTP via email for login. All works swimmingly! Some of testers noticed that when a user is prompted for an AD password change (i.e. pwd expiration etc), the APM module still sends an OTP to the user. Once the password is changed, a new login must be done with the new credentials and another OTP is sent. Alot of our users are not very tech savvy so they'll get understandably frustrated and report OTP/login as not working.
I've tried to explore some VPE branches but none are jumping out at me as a potential solution. I have seen another solution on DevNet where a user did a email/captcha, OTP then uname/pword but I feel its over engineered and that there should be a simpler solution to this?
Has anybody come across this before or know of a fix? Any help is appreciated.
EDIT: I'm basically trying to understand if we can get the APM module to not send an OTP if the password needs changing. There must be a AD attribute that signals a password change is needed?