When creating a user in IDM make sure that you always assign a provisioning role at the time of creation. It can be an empty provisioning role with no account template. This ensures that the user gets created in the Provisioning Store at the same time, and that the password set in IDM is also set in the provisioning store.
If you assign the provisioning role AFTER creating the user in IDM, then the user will get created in the Provisioning Store, but the password will not be there (as IDM can only access the hashed password in the user store at this point in time, which it obviously can not decrypt). This will then cause problems if you try to provision the user to endpoints. So use something like PX to ensure that all users get a provisioning role at time of creation (assuming that this is what you want).
Pearse