Hi @saithal,
I have tested the Password Rotation integration and did not encounter any issues with it. I tested with a user who has the last_password_reset in the app_metadata and at the root level attribute. In both cases, the user was prompted to reset their password and denied access.
If this does not work, you can implement a post-login action script to mimic the same behavior. For this, I recommend referring to this related post.
Let me know if you have any additional questions.
Thanks,
Rueben