if you're using Hybrid Identity (e.g. with AzureAD-Connect) the passwords are mainly stored in the OnPrem AD. If you're using PHS the Hashes are synced, if you're using PTA/ADFS they are not synced - but the main password is stored at the user object in AD.
If you set the flag "user must change password at next logon" at the user object in AD the user has to change his password.
Afaik this works on domain joined clients, the ADFS pages and on AAD and AAD-joined Devices (when PW-Writeback is enabled).
To answer your question: Set the flag for your user and test in your environment. After testing set the flag for more users (maybe via PowerShell) or configure a password policy via GPO in your AD which forces the user to change their passwords periodicaly.
Best Response confirmed by
Djavan ROA (Contributor)