Before 8.0.0/11802, users were created perfectly with msad-user-account-control-mapper, but now user creation flow is broken.
After creating user in the web console, user is also created in AD with userAccountControl = 546 and pwdLastSet = 0, which makes sense. The UPDATE_PASSWORD flag is also set.
The update password email is not sent, though. Investigating a little further, email is not being sent with the message "User is disabled".
Follows an example of a creation flow that is failing:
Before 8.0.0 we had a special treat for when pwdLastSet = 0, in which case we would return kcEnable, but that was removed in https://github.com/keycloak/keycloak/commit/e018ca3e29cd5f0d3a362a3d4a3749c4893f44c6
We should either go back to the previous isEnabled logic or allow the email to be sent for disabled users (the problem might be bigger than just update password action, as setting a password manually seems to be failing for me as well on disabled users)