The /employees endpoint can be filtered on which employees are in a state of Forced Password Reset (employee will be forced to change their password on their next login prompt):
Show the status for a single employee:
GET /employees/{id}?include=forcePasswordChange
{id} = the employees.id value identifying an employee
List employees that have had the state set:
GET /employees?forcePasswordChange=true