Platform Identity and Access Management Architect Intermediate Practice Exam: Medium Difficulty 2025

A global company uses a single Salesforce org for multiple brands. Some users must keep separate brand identities (different usernames and MFA devices) while others should have a single identity across brands. The company also wants centralized control over authentication policies. Which approach best meets these requirements?

An organization is merging two business units that each has its own identity store. They want to migrate to a single login experience for Salesforce while allowing both identity stores to remain during transition. Users should be able to log in with either identity store based on their email domain. What should the architect recommend?

A company has a customer portal built on Experience Cloud. They want customers to log in using a social identity provider and also allow some customers to use their enterprise SAML identity. The portal must map inbound users to existing Contact records and prevent duplicate user creation. What is the best solution?

A company uses an external IdP for employee SSO into Salesforce. They need to enforce MFA for all employees, but the IdP is not consistently enforcing MFA. The security team wants Salesforce to ensure MFA even when SSO is used. What should the architect recommend?

An org integrates with an external HR system to provision and deprovision employees. The company wants near-real-time access revocation across Salesforce and connected apps when an employee leaves. They use SAML SSO with an IdP and have several OAuth connected apps. Which approach best supports timely deprovisioning?

A mobile app uses OAuth to access Salesforce APIs on behalf of users. The security team wants to reduce risk from token theft and ensure tokens can’t be replayed from other devices. Which design is most appropriate?

A sales operations team needs to give a subset of users temporary access to view opportunities in an otherwise restricted region for a two-week period. The access must be time-bound with minimal admin overhead and should not require changes to role hierarchy. What is the best solution?

A regulated company needs to ensure administrators cannot directly log in as end users without a documented approval, while still allowing troubleshooting. They also need an audit trail of who accessed what and when. What should the architect recommend?

A company is implementing a new identity program across multiple Salesforce orgs and wants consistent authorization policies. They plan to standardize on permission sets, permission set groups, and least privilege. They also want a repeatable way to deploy and govern changes. What is the best recommendation?

A company has multiple external applications that need access to Salesforce APIs. Some are machine-to-machine integrations, while others act on behalf of a specific user for auditing. The security team wants to minimize credential sharing and ensure appropriate audit trails. Which strategy is most appropriate?