diff --git a/stages/org.osbuild.users b/stages/org.osbuild.users
index 67722a5d..08fbf287 100755
--- a/stages/org.osbuild.users
+++ b/stages/org.osbuild.users
@@ -110,6 +110,7 @@ def main(tree, options):
         shell = user_options.get("shell")
         password = user_options.get("password")
         expiredate = user_options.get("expiredate")
+        force_password_reset = user_options.get("force_password_reset", False)
 
         passwd = getpwnam(tree, name)
         if passwd is not None:
@@ -125,6 +126,9 @@ def main(tree, options):
         else:
             useradd(tree, name, uid, gid, groups, description, home, shell, password, expiredate)
 
+        if force_password_reset:
+            subprocess.run(["chroot", tree, "passwd", "--expire", name], check=True)
+
         # following maintains backwards compatibility for handling a single ssh key
         key = user_options.get("key")   # Public SSH key
         keys = user_options.get("keys", [])  # Additional public SSH keys
diff --git a/stages/org.osbuild.users.meta.json b/stages/org.osbuild.users.meta.json
index 6c8668a6..22df5dee 100644
--- a/stages/org.osbuild.users.meta.json
+++ b/stages/org.osbuild.users.meta.json
@@ -66,6 +66,10 @@
                 "expiredate": {
                   "description": "The date on which the user account will be disabled. This date is represented as a number of days since January 1st, 1970.",
                   "type": "integer"
+                },
+                "force_password_reset": {
+                  "description": "Force this user to change their password on first login",
+                  "type": "boolean"
                 }
               }
             }