Set Force a user to change password on next logon via Powershell

I have created a script to try and change the user setting 'force password change at next login'.  I wish to do this without having to change their password.   I have tried both user authentication (using a global admin account) and application authentication (via Client Secret).  When I run the script in either authentication context I get access denied when it comes to updating the user.  The script was to read in a csv file and do this but I have simplified a script to the following to show the basic concept of the commands I am trying to run and the authentication process.

$secureSecret = ConvertTo-SecureString "xxxxxxxxxxxxxxxxx" -AsPlainText -Force
$credential = New-Object PSCredential("xxxxxxxxxxxxxxxxxxxxx", $secureSecret)
Connect-MgGraph -TenantId "xxxxxxxxxxxxxxxs" -ClientSecretCredential $credential

Get-MgUser -UserId "email address removed for privacy reasons" -Property "userPrincipalName,userType,onPremisesSyncEnabled"

Update-MgUser -UserId "email address removed for privacy reasons" -PasswordProfile @{ForceChangePasswordNextSignIn = $true}

In the application I have created I have assigned the permissions I believe would be required to support this action (I added Directory.ReadWrite.All, just in case)

The read user works fine but I get the error below when trying to update

Update-MgUser_UpdateExpanded: Insufficient privileges to complete the operation.

Status: 403 (Forbidden)
ErrorCode: Authorization_RequestDenied
Date: 2025-10-15T13:36:46

I have tried this is two different 365 tenants but both fail with the same error.  The tenant is a cloud only with no synchronisation from on-premise.  I have tried many iterations but have reached the dead end point.

Is it possible to force a password reset via a PowerShell script and if so what am I doing wrong with my permissions?

TIA