I would avoid using the scheduled search trigger since it only shows a preview of the first 20 records. You may very well have more users doing a password reset than 20. Instead, I would setup a “Scheduled Trigger” to run at a set interval (ex. every hour), and have the workflow invoke an HTTP Request to the search API. The search request will use the query that @edmarks provided above:
As for an example of how to setup this workflow, check out the first 20 minutes from this livestream that I recorded.
The use case I cover in the video is for new user onboarding, but it can easily be adapted to search for identities that do a password reset instead. You’ll want to grab the templates from here.