Final answer:
Use Azure AD Conditional Access to prompt password changes for users connecting from anonymous IP addresses. This service allows policy creation to enforce security measures based on various conditions like location and device state.
Step-by-step explanation:
To require Azure AD users to change their passwords when connecting from the Internet with an anonymous IP address, you should use Azure AD Conditional Access. This Azure service enables you to create and enforce policies that perform specific actions such as requiring a password change, depending on various conditions, including the user's location, device state, and the application they are accessing. This approach allows for the enforcement of additional security measures like password change prompts outside of the organization's usual sign-in risk policies.