Ok, if I create an in zone rule to not require MFA login if in zone, then the API returns status PASSWORD_EXPIRED, and I can successfully change the password by calling the change_password API, but if that rule is not in place the status comes back MFA_REQUIRED, and the change_password API call will not work.
How do I know that the status of the login user is PASSWORD_EXPIRED if the login call returns MFA_REQUIRED?