Force user to reset password in hybrid

Hey there! 

I see that you have two separated issues here.

So, for the first one: by default, the flag "user must change the password at the next logon" is not synched by Entra Connect. To do so, you need to enable the synch for the flag with the command 

Set-ADSyncAADCompanyFeature -ForcePasswordChangeOnLogOn $true

Note that this command changes the production settings of your environment, so it's a change that need to be planned and evaluated accordingly. Note also that, after the change the existing flag will not be synched, only new changes are synched. 

For the second problem: it seems to be an issue related to a policy on prem, maybe the password policy. Try to follow this article for troubleshooting

Troubleshoot password resets blocked by on-premises policy | Microsoft Learn

You should be able to understand which policy is preventing the changes. 

Note that some of the configuration may be available or not depending on which configuration you have on Entra Connect, like password writeback