Hi @Mferguson
Thanks for reaching out to Microsoft Q&A.
If the device is registered and managed by your company, there's a good chance that they are signing in using a PRT.
A Primary Refresh Token (PRT) is a key artifact of Microsoft Entra authentication on Windows 10 or newer, Windows Server 2016 and later versions, iOS, and Android devices. It's a JSON Web Token (JWT) specially issued to Microsoft first party token brokers to enable single sign-on (SSO) across the applications used on those devices
PRTs expires after a 90-day period, but they are renewed indefinitely if the device is used frequently as long as the PRT is not invalidated.
https://learn.microsoft.com/en-us/entra/identity/devices/concept-primary-refresh-token
As a workaround, you could configure a CA policy to force the users to sign in after x amount of days, by doing so, they will be prompted to use username/password which would trigger the password reset flow for the accounts with expired passwords:
Thanks,
Fabio