50 Platform Identity and Access Management Architect Practice Questions: Question Bank 2025

A company uses a central Identity Provider (IdP) to authenticate employees. The security team wants Salesforce to accept authentication from the IdP and automatically create users on first login while ensuring users are assigned to the correct profile and permission sets based on department attributes. What should the architect recommend?

An enterprise wants a single set of credentials for multiple Salesforce orgs. Users should authenticate once and then access each org without re-entering credentials. Which approach best meets this requirement?

A security architect needs to restrict API access so that only integrations using approved connected apps can obtain access tokens, and user credentials must never be stored by the integration. Which option should be recommended?

A global company wants to ensure that when employees leave, their access across Salesforce is removed promptly and consistently. The HR system is the source of truth for employment status. What is the best-practice approach?

A customer community uses an external IdP for authentication. Users can log in successfully, but they intermittently see "We can't log you in because of an issue with single sign-on". Logs show the SAML response is accepted, but Salesforce denies access. What is the most likely cause?

A company must enforce multi-factor authentication (MFA) for all interactive logins to Salesforce, including users who authenticate via SAML SSO through a corporate IdP. The company wants the IdP to be the single place where MFA is enforced. What should the architect recommend?

An architect is designing access controls for a regulated environment. Business users must only see records for their region, and exceptions are rare but must be auditable. Which design best supports least privilege and auditability?

A company uses multiple permission sets and groups to manage entitlements. An audit found users accumulating access over time when they change jobs. The company wants a scalable way to ensure users only have access required for their current role. What should the architect recommend?

A company wants customers to log in to an Experience Cloud site using social identity providers and also allow customers to link multiple identities (e.g., Google and Facebook) to the same community user. Which design is most appropriate?

An integration uses a headless process that must access Salesforce APIs. Security requires no shared user credentials, the ability to rotate secrets, and the ability to revoke access without impacting any human user. Which approach best fits these requirements?

A company wants to allow external partner users to access multiple Experience Cloud sites using the same login across all sites in the org. Partners should not have separate usernames per site. Which approach best meets the requirement?

An architect is reviewing a Salesforce org that uses SAML SSO with an external IdP. Users report they can authenticate successfully, but they intermittently land in a new user registration flow instead of being logged in. Which misconfiguration is the most likely cause?

A security team wants to ensure that API integrations cannot access Salesforce unless the calling client uses a connected app and presents a valid OAuth token. They also want to prevent use of username-password authentication for the integration user. Which setting best supports this requirement?

A global company has multiple Salesforce orgs and wants a consistent way to disable a user quickly across all orgs when they leave. The company uses an enterprise IdP for SSO. Which architecture best supports centralized deprovisioning?

An org uses SAML SSO with an IdP. The security team requires step-up authentication (MFA) only when users access a specific Salesforce app that contains sensitive data. Users should not be prompted for MFA when accessing standard apps. Which approach best meets the requirement with minimal Salesforce customization?

A company wants to allow third-party vendors to access a set of custom APIs hosted in Salesforce. Vendors must authenticate with OAuth 2.0 and should be limited to only the required API scopes. What is the recommended design?

After enabling a new Authentication Provider for OpenID Connect (OIDC), users report an error during login: "URL No Longer Exists" right after authenticating at the external provider. The external provider confirms it is sending an authorization code back to Salesforce. What is the most likely cause?

A regulated customer requires that administrators can troubleshoot access issues without being able to view end-user data unless explicitly approved. Which capability best supports this separation of duties in Salesforce?

An enterprise wants to use Salesforce as an identity provider (IdP) for several downstream SaaS apps. They require that access to those apps be revoked immediately when a user's Salesforce access is removed, and they want centralized control of app entitlements. Which design best satisfies this requirement?

A company is migrating from multiple legacy directories into a single enterprise IdP. During the transition, some users will authenticate from Directory A and others from Directory B. The Salesforce org must support both populations without creating duplicate Salesforce users. Which approach is the most robust?

A company uses a single Salesforce org for both internal employees and external partners. The security team wants to ensure external users can never accidentally receive internal permission sets even if an admin makes a mistake. What is the best architectural approach?

An admin needs to allow access to a Lightning app only for a subset of users without changing their object permissions. Which feature is the most appropriate?

A customer configures SAML SSO from their IdP to Salesforce. Users report intermittent login failures only when using the IdP-initiated flow. SP-initiated logins work consistently. Which is the most likely cause?

A company wants to simplify access requests: users should receive a standard baseline of permissions plus one of three job-function bundles. The IAM architect wants to reduce the risk of conflicting permission assignments and make reviews easier. What should be implemented?

An org uses SSO. The security team wants to require MFA only when users are outside the corporate network, while keeping SSO as the primary authentication method. Which approach best meets the requirement?

A partner community needs access to a subset of Accounts and related Cases. The business wants partners to see only records explicitly shared to their partner account, not all records owned by users below them in the role hierarchy. Which configuration best supports this requirement?

An architect is evaluating authentication options for a custom mobile app that must access Salesforce APIs on behalf of the user. The app should avoid storing user credentials and must support token revocation and short-lived access. Which approach is most appropriate?

A company wants to standardize identity attributes across multiple Salesforce orgs and downstream apps. They need a single authoritative source for user lifecycle (joiner/mover/leaver) and want consistent deprovisioning. Which concept best addresses this?

After enabling SCIM-based provisioning from an identity provider into Salesforce, administrators notice that when a user changes departments, the user remains in the old permission set group for days, creating excessive access. The IdP is the system of record for group membership. What is the best solution?

A user can authenticate via SSO successfully, but is immediately redirected to an error stating they are not permitted to access the application. Other users in the same IdP group can access Salesforce. Which is the most likely Salesforce-side cause?

A company uses Salesforce as a Service Provider (SP) with SAML SSO. They want to ensure users can still log in if the corporate Identity Provider (IdP) is temporarily unavailable. What is the recommended approach?

An architect needs to explain the primary purpose of the OAuth 2.0 refresh token in Salesforce integrations. What is the best description?

A security team wants to ensure that users cannot log in from countries outside an approved set, even if they have valid SSO credentials. Which Salesforce capability best addresses this requirement?

A company wants a central way to grant and revoke access across multiple Salesforce orgs using job roles (for example, 'Sales Rep', 'Support Agent') with least privilege. Which approach is most aligned with identity governance best practices?

A mobile app uses OAuth 2.0 to access Salesforce APIs on behalf of users. Security requires that intercepted authorization codes cannot be exchanged for tokens without proof from the same app instance. Which control should the architect recommend?

A customer has two Salesforce orgs (Sales and Service). They want users to log in once through the corporate IdP and access both orgs without re-authenticating. They also want a consistent logout experience. Which architecture is most appropriate?

An org uses external identity (community) users. The business wants to ensure that when a partner employee leaves their company, access is removed quickly and consistently across all partner users. What is the most effective governance-oriented solution?

A company uses certificate-based mutual TLS for an integration to Salesforce APIs. After a certificate rotation, calls start failing with authentication errors. The client confirms it is presenting the new certificate. What is the most likely Salesforce-side issue to check first?

A regulated enterprise requires that administrators who assign permissions must not be the same individuals who approve access requests. They want this enforced and auditable across Salesforce and other SaaS apps. Which solution best satisfies this requirement?

A company uses SAML SSO from an IdP to Salesforce. They also need Salesforce users to call an external API that only accepts OAuth tokens issued by the same IdP (not Salesforce). The solution must avoid storing user passwords in Salesforce and should provide a seamless user experience. What architecture should the architect recommend?

A partner community uses Experience Cloud with SSO. Users are intermittently unable to access Salesforce after the IdP login and receive an error indicating the SAML assertion is invalid. The issue occurs only when the partner switches between two different browsers where both are logged into the IdP. What is the most likely cause?

A company wants to enforce that all API integrations authenticate using short-lived credentials and rotate automatically without storing user passwords. Which approach best meets the requirement for Salesforce-to-Salesforce or external client integrations?

An architect needs to design access for a global service organization. Users in each region must only see cases for their region, but a central escalation team must see all cases across regions. The company wants a scalable model with minimal manual sharing. Which design is recommended?

A company uses multiple Salesforce orgs. They want a single identity for each employee, centrally deprovision access, and ensure user access is removed across all orgs within minutes of HR termination. Which approach best supports this governance requirement?

A customer wants to require MFA for all interactive logins to Salesforce, including SSO users, but allow certain headless integrations to continue without MFA. Which configuration best satisfies the requirement?

A company is implementing Experience Cloud for external users. They need to ensure each external user can only see and edit records explicitly shared with them or owned by them, even if internal users have broader access. Which setting most directly supports this requirement?

A security team wants to reduce risk from users authorizing third-party connected apps. They need to allow only sanctioned apps and block end-user OAuth authorization for all other apps. What is the best approach?

Users report they are unexpectedly logged out of Salesforce when switching between the Salesforce UI and an embedded canvas app that uses SSO. The canvas app is hosted on a different domain and uses an iframe. What is the most likely root cause?

A company needs to allow help desk staff to unlock users and reset passwords but must prevent them from viewing or editing user details such as profiles, permission set assignments, or role. What is the recommended solution?

An enterprise IdP sends SAML assertions to Salesforce. The security team requires that Salesforce reject assertions unless they include a specific authentication context (e.g., MFA) and they want this enforced even if the IdP misconfigures its access policies. Which solution best meets the requirement?