we use windows AD to authenticate users with 2FA. We usually set a default password and they are required to change on first use or update as needed. you can do this with default security but not AD security.
without users being able to update and manage their own passwords it adds another layer of difficulty for our staff to manage.
Customer support service by UserEcho