MariaDB for reasons unknown requires a set password command be run against each account.

what do you mean by that? "requires" how?

under 10.2.13 the account's passwords never expired. the only time they got changed typically was when the user forgot the password and then as mysql we'd alter them a new one.

in September we upgraded our 24 MariaDB servers to 10.4.12 and 90 days later the mysql account crons started failing with a must set password error. so we had to do a set password for the root account.

then the users started reporting the same issue.

What i discovered is the day we did the upgrade that automatically established a PASSWORD LAST CHANGED date and also a EXPIRY DATE which was 90 days from the upgrade and PASSWORD LAST CHANGED date.

Our .my.cnf has a variable default to "default_password_lifetime=90"

So we had to execute an ALTER USER '?'@'?' PASSWORD EXPIRE INTERVAL 120 day;
for all our accounts and then advise the application that they will need to change their password every 90 days
going forward.

Let me know if i misstated anything or if there is anything else I should know regarding this change between 10.2.13 and 10.4.12.

Normally, of course, this shouldn't be happening. Definitely, not intended.

What could've happened, that after upgrading from MySQL 5.6 (or 5.7) via few MariaDB versions, and running mysql_upgrade every time, the original MySQL-ish columns in mysql.user table ended up in some unexpected position.

What does SHOW CREATE TABLE mysql.user returns?

Do you by any chance have mysql.user table before the upgrade? From a backup, may be?