Identity-and-Access-Management-Architect Sample Questions Answers

Salesforce Activations gives administrators visibility into the devices that users have activated for certain trusted access experiences and the ability to revoke those device activations when necessary. That aligns directly with compliance requirements to track devices used for login and to invalidate a device if it should no longer be trusted. Login History shows session data but not the same activation-management control plane. A custom object plus login flow would create a partial record, but it would not provide the built-in revocation semantics the requirement asks for. The important distinction is between observing a login event and managing device trust. Activations addresses device trust management, which is why it is the better fit here. This is why option D is the best answer in Salesforce terms.

External Identity is the Salesforce license intended for business-to-consumer and other external audience identity scenarios. When the requirement is to provide single sign-on or authentication services for customers rather than internal employees, this is the licensing model architects evaluate first. Identity Only is typically used for internal workforce users who need identity services without broad CRM access, while partner licenses address collaboration models tied to partner accounts. The design driver here is audience type: the users are external consumers of a B2C-style application. Salesforce separates those audiences in licensing because the underlying access model, scale expectations, and Experience Cloud use cases differ from workforce identity. That is why External Identity is the appropriate license choice. This is why option C is the best answer in Salesforce terms.

For social sign-on into Experience Cloud, Salesforce relies on authentication providers to establish trust with each social identity source and on a registration handler to create or update the Salesforce user and related records. That pattern applies whether the provider is Facebook, LinkedIn, Twitter, or a standards-based OpenID Connect provider. Process Builder or Flow does not replace the registration handler in this identity handshake. The registration handler is where Salesforce decides how to map the incoming identity to an existing user, when to create a new one, and how to update profile information over time. From an architecture standpoint, authentication providers solve the external trust, and the registration handler solves the user lifecycle inside Salesforce. This is why option C is the best answer in Salesforce terms.

For a mobile app using the user-agent flow, two connected-app controls work together when the business wants a long-lived session without repeated approval prompts. First, the app should be set to Admin Approved Users Are Pre-Authorized so users are not asked to approve API access inside the mobile experience. Second, the refresh-token policy should be configured for the required lifetime, such as three months, so the app can keep renewing access without forcing the user to log in again. A session timeout controls the UI session but not the refresh-token lifecycle in the same way. The architectural point is that user consent suppression and durable reauthentication behavior are governed by separate connected-app policies. This is why options C, D work together as the correct solution.

Identity Connect can synchronize several Salesforce security constructs from Active Directory-driven administration, particularly the identity and authorization artifacts attached to users. Profiles and permission sets are directly relevant because they define user capabilities in Salesforce. Roles also matter because they shape record access and hierarchy behavior. Public groups can participate in permission design and assignment patterns as well. By contrast, sharing rules and permission set licenses are not the core mapping focus in the same way. The main architectural takeaway is that Identity Connect is about translating directory-based user management into Salesforce access structures, especially those that determine who a user is, what they can do, and where they sit in the org’s access model. This is why options B, D, E work together as the correct solution.

For a mobile-first external identity use case, Salesforce requires both the right base license and the right verification channel entitlement. External Identity licenses support authentication for external users such as consumers, while SMS verification credits support sending one-time verification codes to mobile phones for passwordless or verification-based login experiences. Email verification credits would address email delivery, not SMS-based verification. Identity Connect is unrelated because it is an AD synchronization product for workforce identity, not a CIAM licensing option. The architecture requirement here is straightforward: external users authenticate to Salesforce-backed digital experiences, and mobile number verification is part of the sign-in model. That combination points to External Identity plus SMS verification capacity. This is why options A, D work together as the correct solution.

Identity Connect can synchronize several Salesforce security constructs from Active Directory-driven administration, particularly the identity and authorization artifacts attached to users. Profiles and permission sets are directly relevant because they define user capabilities in Salesforce. Roles also matter because they shape record access and hierarchy behavior. Public groups can participate in permission design and assignment patterns as well. By contrast, sharing rules and permission set licenses are not the core mapping focus in the same way. The main architectural takeaway is that Identity Connect is about translating directory-based user management into Salesforce access structures, especially those that determine who a user is, what they can do, and where they sit in the org’s access model. This is why option D is the best answer in Salesforce terms.

Identity Connect is positioned primarily as a user provisioning and deprovisioning bridge between Microsoft Active Directory and Salesforce. In designs where AD is the authoritative source for user status, deactivating a user upstream should be reflected quickly in Salesforce access. That is why architects pay attention to what happens to existing sessions when a user is disabled in the source directory. The feature is not a managed package, and it is not an identity provider that automatically brokers SSO by itself. It also does not “solve” license overages by disabling users in a FIFO pattern. The relevant capability is operational user-state synchronization: when identity status changes in directory services, Salesforce access should be withdrawn in a controlled, security-focused way. This is why option D is the best answer in Salesforce terms.

For a server-to-server integration that should avoid end-user interaction and maximize security, the JWT Bearer Flow is the strongest fit. Salesforce documents it for noninteractive scenarios where a trusted external service can sign an assertion with a certificate and exchange it for an access token. That means no browser- based approval screen, no password collection, and no dependence on a human being present to authorize the session. Web Server and User-Agent flows are designed for interactive delegated access, while username-password is a special-case pattern with weaker security characteristics. The architectural takeaway is simple: when the client is a trusted server and the goal is high assurance with minimal user involvement, certificate-based JWT exchange is the preferred Salesforce approach. This is why option A is the best answer in Salesforce terms.

To integrate an external application with Salesforce by using OAuth 2.0, the architect generally needs a connected app and the right OAuth scopes. The connected app defines the trust relationship and client identity, while the scopes specify what access the app can request, such as API access or refresh-token capability. Authentication providers solve inbound sign-in from an external identity source, which is a different use case. A vague “OAuth token” is the result of the configuration, not the administrative construct you build first. The important architecture principle is that OAuth access to Salesforce starts with a connected app. Without that, the external order-fulfillment application has no registered client identity or scope model for calling Salesforce APIs. This is why option D is the best answer in Salesforce terms.

Dynamic branding in Experience Cloud relies on the Experience ID, sometimes carried as the expid parameter or equivalent placeholder in the URL, so Salesforce can render the right login experience for the selected brand. This is the scalable way to vary the look and feel without duplicating entire identity stacks. The community template choice can matter because not every template exposes branding capabilities the same way, but the central concept is still the Experience ID. External CMS tools are not required just to route the login experience by brand. From an architecture standpoint, this keeps the login framework centralized while letting the entry experience adapt to whichever brand, campaign, or sub-experience the user selected before authentication. This is why options B, D work together as the correct solution.

Once SAML SSO is already configured, enabling Just-in-Time provisioning in Salesforce is done on the SAML Single Sign-On setting itself. The architect turns on JIT user provisioning, selects the provisioning type, and supplies the SAML JIT handler if custom logic is needed. That is the expected configuration path because JIT is part of the federation handshake, not a sharing model or permission-set feature. Creating a random Apex class without wiring it into the SAML setting would not enable JIT on its own. The architectural distinction is that JIT rides inside the SAML login process. Therefore it must be enabled and configured where Salesforce processes the incoming assertion. This is why option A is the best answer in Salesforce terms.

Salesforce supports dynamic branding for Experience Cloud login journeys through the Experience ID parameter. The Experience ID tells Salesforce which branded experience to render, allowing a single identity implementation to serve multiple brands or sub-brands without building separate authentication stacks. This is more scalable than asking users to pick a brand after arrival or inventing custom parameters and branding logic outside the standard experience framework. It also works cleanly with OAuth and SAML-based sign-in patterns, which is why it is commonly recommended in multi-brand CIAM designs. When the requirement is to reliably present the correct branded Salesforce experience during login, the Experience ID is the built-in mechanism intended for that routing and presentation layer. This is why option A is the best answer in Salesforce terms.

Salesforce supports token revocation through the revoke token endpoint. When an external application logs the user out and the existing OAuth token must be invalidated immediately, the application should make the appropriate HTTP request to that revocation endpoint and include the current token. That explicitly tells Salesforce the token should no longer be accepted. Requesting a new refresh token or calling unrelated endpoints would not invalidate the existing authorization. Single Logout can help in federated browser journeys, but the requirement here is specifically about invalidating the OAuth token itself. The architecture distinction is important: session logout and token revocation are related but not identical operations, and Salesforce provides a dedicated endpoint for revocation. This is why option A is the best answer in Salesforce terms.

When partner onboarding must prevent duplicate accounts across Salesforce and an external identity store, the safest design is to control registration in one orchestrated flow rather than allowing each system to create identities independently. A custom self-registration experience can validate whether the partner already exists, create the Salesforce partner records in the right account structure, and coordinate identity creation only once. This avoids the common duplication problem where the identity provider and Salesforce both accept separate registrations for the same business user. The architecture goal is not simply sign-in; it is controlled provisioning with deduplication. For that reason, a custom registration page or process that checks existing partners and then creates records in the right order is the strongest fit. This is why option A is the best answer in Salesforce terms.

Login Flows are the least-custom way to present user-specific messaging before a user lands on an Experience Cloud home page. Salesforce designed login flows to insert screens into the authentication journey, which makes them a strong fit for pre-homepage alerts, acknowledgments, and decision points. A custom homepage component can display alerts after login, but it does not satisfy the “before they land on the homepage” requirement as directly. Custom metadata with LWC or a specialized registration handler introduces more build effort than needed. The important platform distinction is timing: login flows run during authentication and can show a screen before the session continues to the destination page. That is why they are commonly chosen for policy notices, onboarding prompts, and personalized pre-entry messages. This is why option B is the best answer in Salesforce terms.

OAuth scopes are the mechanism Salesforce uses to define what an external application can request access to. If the requirement is to control access to protected resources in a flexible and granular way, custom scopes are the right enhancement. They let the architect express purpose-specific access boundaries beyond coarse app approval alone. Admin-preapproved access and permission sets govern who can use the connected app, but scopes govern what the token is intended to do. External objects and data classification don’t solve the token-authorization problem. The design principle is least privilege at the API boundary. By carefully defining and assigning scopes, the organization can limit access in a way that is meaningful to both the application and the resource server. This is why option B is the best answer in Salesforce terms.

When multiple identity providers must coexist in one Salesforce org, the standard pattern is to surface them through My Domain authentication settings so users can authenticate against the correct IdP. That is particularly important when generated email links bring users back into Salesforce and the org has to present the proper login options consistently. Rather than modifying every email with custom query logic or relying on IdP-initiated links, Salesforce can expose multiple login services at the domain level. This keeps the experience aligned with the org’s authentication service configuration. In multi-IdP organizations, the identity architecture should steer users through the My Domain login service so the correct SSO path is available when they arrive from system-generated links. This is why option C is the best answer in Salesforce terms.

Dynamic branding in Experience Cloud relies on the Experience ID, sometimes carried as the expid parameter or equivalent placeholder in the URL, so Salesforce can render the right login experience for the selected brand. This is the scalable way to vary the look and feel without duplicating entire identity stacks. The community template choice can matter because not every template exposes branding capabilities the same way, but the central concept is still the Experience ID. External CMS tools are not required just to route the login experience by brand. From an architecture standpoint, this keeps the login framework centralized while letting the entry experience adapt to whichever brand, campaign, or sub-experience the user selected before authentication. This is why option D is the best answer in Salesforce terms.

Salesforce’s secure MFA guidance is based on two independent factors, not simply any second code that can be sent to the user. Strong MFA methods include possession-based authenticators and standards-compliant mechanisms such as security keys, approved authenticator apps, and trusted third-party SSO solutions that themselves enforce strong MFA. Lightning Login is also treated as a passwordless, device-based secure approach in the Salesforce ecosystem. By contrast, SMS and email verification do not meet Salesforce’s general MFA requirement for secure user-interface logins in the same way. The architecture point is that Salesforce distinguishes between convenience verifications and strong authentication factors. For compliance-driven MFA, architects should choose the methods Salesforce classifies as high-assurance. This is why options A, B, D work together as the correct solution.

Salesforce Experience Cloud includes out-of-the-box branding options for login and registration experiences, and those can be extended through Experience Builder for related pages such as forgot-password and reset-password journeys. The standard site administration and branding controls can cover logos, colors, and certain visual treatments of the login page. Where the business wants branded password-management pages as well, Experience Builder is the supported way to build those experiences consistently. That is better than creating fully custom pages for everything unless the requirement truly goes beyond what the platform supports. The architecture point is to use the built-in branding framework first and extend through Experience Builder where branded identity pages are needed. This is why options A, D work together as the correct solution.

For social sign-on into Experience Cloud, Salesforce relies on authentication providers to establish trust with each social identity source and on a registration handler to create or update the Salesforce user and related records. That pattern applies whether the provider is Facebook, LinkedIn, Twitter, or a standards-based OpenID Connect provider. Process Builder or Flow does not replace the registration handler in this identity handshake. The registration handler is where Salesforce decides how to map the incoming identity to an existing user, when to create a new one, and how to update profile information over time. From an architecture standpoint, authentication providers solve the external trust, and the registration handler solves the user lifecycle inside Salesforce. This is why options B, C work together as the correct solution.

Identity Verification Credits are consumed when Salesforce sends verification challenges through the configured channel, and SMS-based passwordless login specifically depends on SMS verification activity. Therefore the right estimation approach is to forecast how many SMS verification events the portal will generate, not how many community licenses exist. Some Salesforce identity offerings include baseline entitlements, but capacity planning still centers on expected verification traffic. If the portal intends to let customers log in with one-time passcodes sent by text, then every challenge can consume credits. The architecture question is really an operational one: estimate the expected volume of SMS-based login verification and size the verification-credit requirement to match that demand. This is why option C is the best answer in Salesforce terms.

In OAuth-based Salesforce integrations, intermittent logout behavior is often tied to token lifecycle rather than to general platform permissions. Salesforce documentation distinguishes clearly between authentication, authorization, and token validity. Even if the initial login succeeds, the user can appear to be “randomly logged out” when an access token expires, is revoked, or can no longer be refreshed according to policy. That is why token status and refresh behavior should be checked early in troubleshooting. Browser version, network delay, or missing Salesforce permissions can cause other access problems, but they do not typically explain an established SSO session ending intermittently in an OAuth flow. The first architectural checkpoint is whether the token issued by the identity provider remains valid for the expected duration. This is why option A is the best answer in Salesforce terms.

If the external portal supports OAuth-based identity and Salesforce must accept its users for single sign-on, OpenID Connect is the right standards-based pattern because it adds identity semantics on top of OAuth. That is why Salesforce can be configured to trust the portal as an identity provider through OIDC rather than through generic delegated authentication. A connected app alone would not make Salesforce treat the portal as the identity source. Delegated Authentication is also a different model centered on username/password validation through a web service. The architectural advantage of OIDC is that the portal can remain the source of identity while Salesforce consumes verified user information and establishes a federated session. This is why option D is the best answer in Salesforce terms.

The Identity Only license is designed for users who need Salesforce Identity services without broad CRM object access. Salesforce documentation positions it for scenarios where employees or other internal users need to authenticate with Salesforce credentials and access connected applications, but they do not require the full set of standard Salesforce business objects. That makes it a good fit for benefits portals, employee hubs, or third-party workforce apps that rely on Salesforce for identity rather than for CRM usage. External Identity is aimed at external audiences such as customers or partners, while Identity Connect is synchronization software rather than an end-user license. The licensing decision follows the user population and the scope of application access more than the authentication protocol itself. This is why option A is the best answer in Salesforce terms.

When users report SSO login errors, Login History is the first Salesforce-native place to look for the failure details. It records authentication attempts, statuses, timestamps, source information, and failure reasons that help narrow down whether the problem lies in the identity provider, the assertion, or the Salesforce configuration. Setup Audit Trail is for admin changes, not runtime authentication troubleshooting, and exception email is not the primary way to debug SSO. The practical reason architects start with Login History is that it tells you what Salesforce actually received and how Salesforce evaluated it. That makes it a reliable first checkpoint during alumni portal, workforce SSO, or community login investigations. This is why option B is the best answer in Salesforce terms.

Salesforce’s JWT bearer flow is intended for server-to-server or noninteractive scenarios where a signed assertion is exchanged for an access token. Because the assertion is signed, the connected app must be configured to use a digital signature. The integration also needs the api scope so that the resulting token can call Salesforce APIs. Other scopes, such as generic web access, do not address the core requirement of API access through a JWT assertion. The design principle behind this flow is that no user is present to approve access interactively, so trust is established through certificate-based signing and the connected app’s policy configuration. That is why the digital signature setting is essential, not optional, in a JWT-based Salesforce integration. This is why options A, C work together as the correct solution.

When users must be allowed to launch an external service provider from Salesforce only if the organization has explicitly authorized them, the connected app should use the Admin Pre-Approved access policy. That setting moves app access out of end-user consent and into administrator control. Profiles or permission sets then determine exactly which users can use the app. This is the standard Salesforce pattern for governed OAuth access in enterprise environments. Assigning authentication providers to profiles or simply exposing the app to a community does not replace the approval and entitlement model of the connected app itself. The architectural point is that app access and user authorization should be centrally controlled, auditable, and limited to approved users. This is why options C, D work together as the correct solution.