Platform Identity and Access Management Architect Practice Exam 2025: Latest Questions

A company wants its employees to log in to Salesforce using corporate credentials managed by an external Identity Provider (IdP). Users should not manage separate Salesforce passwords, and the company wants centralized login policies at the IdP. Which approach best meets this requirement?

A partner portal uses SSO from an external IdP. The business wants to ensure that when a partner user is deactivated at the IdP, they can no longer access Salesforce immediately, even if their Salesforce user record is still active. What is the most effective design?

An admin needs to grant a group of users access to a set of apps, objects, and fields without changing their profiles. The access should be additive and easier to maintain as responsibilities change. What should the admin use?

A company must restrict user logins to trusted corporate networks and block access from unknown IP addresses. Which Salesforce control directly supports this requirement?

A single Salesforce org serves two subsidiaries. Each subsidiary requires its own login experience (branding) and must enforce different authentication policies (for example, one uses SAML with IdP A and the other uses SAML with IdP B). What is the recommended Salesforce capability to support this?

An API integration must access Salesforce data without user interaction. The security team requires that access be tied to an integration identity, not a human user’s credentials, and credentials must be easy to rotate. Which approach best fits?

Users report they are intermittently prompted to re-authenticate when switching between two Salesforce-related web applications that both use the same external IdP. The IdP session is still valid. What is the most likely Salesforce-side cause?

A global enterprise wants consistent user lifecycle governance: joiner/mover/leaver processes, least-privilege access requests, and periodic access reviews across multiple Salesforce orgs. Which solution pattern is most appropriate?

A company uses an external IdP for SAML SSO. Security requires that Salesforce trust the SAML assertion only if it is issued for the intended audience and has not been replayed. Which combination of controls most directly addresses these requirements?

A multi-org Salesforce program must allow a user to seamlessly access several orgs after a single login, while also ensuring each org can enforce its own authorization model and audit access independently. Which architecture best meets these goals with minimal credential sprawl?

A company uses Salesforce as an identity provider for multiple cloud apps. Security requires that some users authenticate with a security key (FIDO2/WebAuthn), while others can use a mobile authenticator app. What is the recommended Salesforce capability to enforce these different MFA methods by user population?

A Salesforce org must prevent logins from countries where the company has no presence, but still allow administrators to log in from anywhere for emergency support. Which solution best meets the requirement?

A new identity architect is reviewing an org where administrators frequently clone profiles to grant temporary access for projects. This has led to hundreds of profiles and inconsistent permissions. What is the best-practice recommendation to reduce sprawl and improve governance?

A company wants its customer portal (Experience Cloud) to support login via a corporate OpenID Connect (OIDC) provider. Requirements: just-in-time user provisioning, mapping external attributes to Salesforce fields, and minimal custom code. Which approach best fits?

Users report they can successfully SSO into Salesforce from the IdP, but API integrations using OAuth 2.0 fail with an error indicating the client is not permitted to use the requested grant type. What is the most likely misconfiguration?

A large enterprise needs to ensure that changes to authentication settings (SSO configurations, connected apps, session policies) follow a formal approval process and are auditable. Which solution best supports governance and compliance?

A company uses SCIM-based user provisioning from an identity provider into Salesforce. They want deprovisioning to immediately prevent access without deleting the user, while preserving historical record ownership and audit trails. Which target state is most appropriate when a user is terminated?

A Salesforce org uses a third-party IdP for SSO. Security requires that when a user is removed from a high-risk group in the IdP, their Salesforce access is reduced within minutes without waiting for manual intervention. Which architecture best meets this requirement?

An enterprise wants a single external identity (one username) to access multiple Salesforce orgs. They require that user lifecycle (create, update, deactivate) is centrally managed, and that users can be assigned different permission sets per org based on attributes. Which design is most appropriate?

A security review finds that several integrations use OAuth with refresh tokens and are allowed for 'All Users' in connected app policy. The company wants to minimize blast radius if a token is compromised while maintaining unattended integration capability. Which change provides the strongest risk reduction with minimal operational impact?

A global organization uses a single Salesforce org for employees and external partners. Employees authenticate with the corporate Identity Provider (IdP). Partners should authenticate with their own IdPs, and some partners require JIT provisioning. The org must enforce a consistent MFA policy for employees, but partners should follow their own MFA policies at their IdPs. Which architecture best meets these requirements?

A mobile app uses OAuth to access Salesforce APIs. Users report that after changing their Salesforce password, previously authorized sessions in the mobile app continue to work for days. Security policy requires that changing a password immediately invalidates existing OAuth access. Which control most directly addresses this requirement?

An admin needs to ensure customer community users can see only their own cases and knowledge articles in specific categories. The requirement must be met with least privilege and minimal ongoing administration. Which approach is recommended?

A company uses an external IdP for SSO into Salesforce. A subset of users intermittently fails to log in with a SAML error indicating the assertion is invalid or not yet valid. The IdP team says nothing changed in attribute mappings. What is the most likely root cause and best next step?

A regulated enterprise wants centralized governance to ensure that: (1) all new Salesforce permission sets and profiles follow least-privilege standards, (2) access changes are traceable to an approval, and (3) periodic access reviews are performed and documented. Which combination best supports these requirements?