diff --git a/redfish-core/include/error_messages.hpp b/redfish-core/include/error_messages.hpp
index 4d71745..6e280c0 100644
--- a/redfish-core/include/error_messages.hpp
+++ b/redfish-core/include/error_messages.hpp
@@ -764,6 +764,17 @@
 void queryParameterOutOfRange(crow::Response& res, const std::string& arg1,
                               const std::string& arg2, const std::string& arg3);
 
+/**
+ * @brief Formats PasswordChangeRequired message into JSON
+ * Message body: The password provided for this account must be changed
+ * before access is granted.  PATCH the 'Password' property for this
+ * account located at the target URI '%1' to complete this process.
+ *
+ * @param[in] arg1 Parameter of message that will replace %1 in its body.
+ *
+ * @returns Message PasswordChangeRequired formatted to JSON */
+void passwordChangeRequired(crow::Response& res, const std::string& arg1);
+
 } // namespace messages
 
 } // namespace redfish
diff --git a/redfish-core/include/node.hpp b/redfish-core/include/node.hpp
index 9086f1e..a6e1e27 100644
--- a/redfish-core/include/node.hpp
+++ b/redfish-core/include/node.hpp
@@ -169,8 +169,8 @@
         res.end();
     }
 
-    /* @brief Would the operation be allowed if the user did not have
-     * the ConfigureSelf Privilege?
+    /* @brief Would the operation be allowed if the user did not have the
+     * ConfigureSelf Privilege?  Also honors session.isConfigureSelfOnly.
      *
      * @param req      the request
      *
@@ -181,9 +181,18 @@
         const std::string& userRole = req.userRole;
         BMCWEB_LOG_DEBUG << "isAllowedWithoutConfigureSelf for the role "
                          << req.userRole;
-        Privileges effectiveUserPrivileges =
-            redfish::getUserPrivileges(userRole);
-        effectiveUserPrivileges.resetSinglePrivilege("ConfigureSelf");
+        Privileges effectiveUserPrivileges;
+        if (req.session && req.session->isConfigureSelfOnly)
+        {
+            // The session has no privileges because it is limited to
+            // configureSelfOnly and we are disregarding that privilege.
+            // Note that some operations do not require any privilege.
+        }
+        else
+        {
+            effectiveUserPrivileges = redfish::getUserPrivileges(userRole);
+            effectiveUserPrivileges.resetSinglePrivilege("ConfigureSelf");
+        }
         const auto& requiredPrivilegesIt = entityPrivileges.find(req.method());
         return (requiredPrivilegesIt != entityPrivileges.end()) &&
                isOperationAllowedWithPrivileges(requiredPrivilegesIt->second,
diff --git a/redfish-core/include/privileges.hpp b/redfish-core/include/privileges.hpp
index 1ca57fa..35f619b 100644
--- a/redfish-core/include/privileges.hpp
+++ b/redfish-core/include/privileges.hpp
@@ -196,7 +196,23 @@
         return (privilegeBitset & p.privilegeBitset) == p.privilegeBitset;
     }
 
+    /**
+     * @brief Returns the intersection of two Privilege sets.
+     *
+     * @param[in] privilege  Privilege set to intersect with.
+     *
+     * @return               The new Privilege set.
+     *
+     */
+    Privileges intersection(const Privileges& p) const
+    {
+        return Privileges{privilegeBitset & p.privilegeBitset};
+    }
+
   private:
+    Privileges(const std::bitset<maxPrivilegeCount>& p) : privilegeBitset{p}
+    {
+    }
     std::bitset<maxPrivilegeCount> privilegeBitset = 0;
 };
 
diff --git a/redfish-core/lib/account_service.hpp b/redfish-core/lib/account_service.hpp
index b579994..609c7db 100644
--- a/redfish-core/lib/account_service.hpp
+++ b/redfish-core/lib/account_service.hpp
@@ -1618,7 +1618,7 @@
                                     *userLocked;
                                 asyncResp->res.jsonValue
                                     ["Locked@Redfish.AllowableValues"] = {
-                                    "false"};
+                                    "false"}; // can only unlock accounts
                             }
                             else if (property.first == "UserPrivilege")
                             {
@@ -1647,6 +1647,22 @@
                                                   "Roles/" +
                                                       role}};
                             }
+                            else if (property.first == "UserPasswordExpired")
+                            {
+                                const bool* userPasswordExpired =
+                                    std::get_if<bool>(&property.second);
+                                if (userPasswordExpired == nullptr)
+                                {
+                                    BMCWEB_LOG_ERROR << "UserPassword"
+                                                        "Expired "
+                                                        "wasn't a bool";
+                                    messages::internalError(asyncResp->res);
+                                    return;
+                                }
+                                asyncResp->res
+                                    .jsonValue["PasswordChangeRequired"] =
+                                    *userPasswordExpired;
+                            }
                         }
                     }
                 }
diff --git a/redfish-core/lib/redfish_sessions.hpp b/redfish-core/lib/redfish_sessions.hpp
index c3e11a3..515f5be 100644
--- a/redfish-core/lib/redfish_sessions.hpp
+++ b/redfish-core/lib/redfish_sessions.hpp
@@ -192,7 +192,9 @@
             return;
         }
 
-        if (pamAuthenticateUser(username, password) != PAM_SUCCESS)
+        int pamrc = pamAuthenticateUser(username, password);
+        bool isConfigureSelfOnly = pamrc == PAM_NEW_AUTHTOK_REQD;
+        if ((pamrc != PAM_SUCCESS) && !isConfigureSelfOnly)
         {
             messages::resourceAtUriUnauthorized(res, std::string(req.url),
                                                 "Invalid username or password");
@@ -204,11 +206,19 @@
         // User is authenticated - create session
         std::shared_ptr<crow::persistent_data::UserSession> session =
             crow::persistent_data::SessionStore::getInstance()
-                .generateUserSession(username);
+                .generateUserSession(
+                    username, crow::persistent_data::PersistenceType::TIMEOUT,
+                    isConfigureSelfOnly);
         res.addHeader("X-Auth-Token", session->sessionToken);
         res.addHeader("Location", "/redfish/v1/SessionService/Sessions/" +
                                       session->uniqueId);
         res.result(boost::beast::http::status::created);
+        if (session->isConfigureSelfOnly)
+        {
+            messages::passwordChangeRequired(
+                res,
+                "/redfish/v1/AccountService/Accounts/" + session->username);
+        }
         memberSession.doGet(res, req, {session->uniqueId});
     }
 
diff --git a/redfish-core/src/error_messages.cpp b/redfish-core/src/error_messages.cpp
index bc5ba77..4be2687 100644
--- a/redfish-core/src/error_messages.cpp
+++ b/redfish-core/src/error_messages.cpp
@@ -1699,6 +1699,32 @@
                           queryParameterOutOfRange(arg1, arg2, arg3));
 }
 
+/**
+ * @internal
+ * @brief Formats PasswordChangeRequired message into JSON
+ *
+ * See header file for more information
+ * @endinternal
+ */
+void passwordChangeRequired(crow::Response& res, const std::string& arg1)
+{
+    messages::addMessageToJsonRoot(
+        res.jsonValue,
+        nlohmann::json{
+            {"@odata.type", "/redfish/v1/$metadata#Message.v1_5_0.Message"},
+            {"MessageId", "Base.1.5.0.PasswordChangeRequired"},
+            {"Message", "The password provided for this account must be "
+                        "changed before access is granted.  PATCH the "
+                        "'Password' property for this account located at "
+                        "the target URI '" +
+                            arg1 + "' to complete this process."},
+            {"MessageArgs", {arg1}},
+            {"Severity", "Critical"},
+            {"Resolution", "Change the password for this account using "
+                           "a PATCH to the 'Password' property at the URI "
+                           "provided."}});
+}
+
 } // namespace messages
 
 } // namespace redfish