Identity-and-Access-Management-Architect exam questions for practice in 2026 Updated 244 Questions Updated Jan-2026 Premium Identity-and-Access-Management-Architect Exam Engine pdf - Download Free Updated 244 Questions Salesforce Certified Identity and Access Management Architect certification is designed to validate a candidate's knowledge and skills in designing and implementing identity and access [...]

Identity-and-Access-Management-Architect exam questions for practice in 2026 Updated 244 Questions [Q43-Q58]

Share

Identity-and-Access-Management-Architect exam questions for practice in 2026 Updated 244 Questions

Updated Jan-2026 Premium Identity-and-Access-Management-Architect Exam Engine pdf - Download Free Updated 244 Questions


Salesforce Certified Identity and Access Management Architect certification is designed to validate a candidate's knowledge and skills in designing and implementing identity and access management solutions within Salesforce. Salesforce Certified Identity and Access Management Architect certification ensures that the candidate has a deep understanding of the Salesforce platform and can design and implement secure solutions that align with industry best practices.

 

NEW QUESTION # 43
Universal Containers has multiple Salesforce instances where users receive emails from different instances.
Users should be logged into the correct Salesforce instance authenticated by their IdP when clicking on an email link to a Salesforce record.
What should be enabled in Salesforce as a prerequisite?

  • A. External Identity
  • B. Identity Provider
  • C. Multi-Factor Authentication
  • D. My Domain

Answer: D

Explanation:
Explanation
My Domain is a feature that allows you to personalize your Salesforce org with a subdomain within the Salesforce domain. For example, instead of using a generic URL like https://na30.salesforce.com, you can use a custom URL like https://somethingReallycool.my.salesforce.com10. My Domain should be enabled in Salesforce as a prerequisite for the following reasons:
My Domain lets you work in multiple Salesforce orgs in the same browser. Without My Domain, you can only log in to one org at a time in the same browser.
My Domain lets you set up single sign-on (SSO) with third-party identity providers (IdPs). SSO is an authentication method that allows users to access multiple applications with one login and one set of credentials. With My Domain and SSO, users can log in to Salesforce using their corporate credentials or social accounts.
My Domain lets you customize your login page with your brand. You can add your logo, background image, right-frame content, and authentication service buttons to your login page.
References:
My Domain
[Customize Your Login Process with My Domain]


NEW QUESTION # 44
Universal Container's (UC) identity architect needs to recommend a license type for their new Experience Cloud site that will be used by external partners (delivery providers) for reviewing and updating their accounts, downloading files provided by UC and obtaining scheduled pickup dates from their calendar.
UC is using their Salesforce production org as the identity provider for these users and the expected number of individual users is 2.5 million with 13.5 million unique logins per month.
Which of the following license types should be used to meet the requirement?

  • A. External Apps License
  • B. Customer Community plus Login License
  • C. Partner Community License
  • D. Partner Community Login License

Answer: D

Explanation:
Explanation
Partner Community Login License is the best option for UC's use case, as it allows external partners to access Experience Cloud sites and Salesforce data with a pay-per-login model. The other license types are either too expensive or not suitable for partner users. References: Experience Cloud User Licenses, Salesforce Experience Cloud Pricing


NEW QUESTION # 45
Which twosecurity risks can be mitigated by enabling Two-Factor Authentication (2FA) in Salesforce?
Choose 2 answers

  • A. Users choosing passwords that are the same as their Facebook password.
  • B. Users leaving laptops unattended and not logging out of Salesforce.
  • C. Users creating simple-to-guess password reset questions.
  • D. Users accessing Salesforce from a public Wi-Fi access point.

Answer: A,D

Explanation:
Enabling Two-Factor Authentication (2FA) in Salesforce can mitigate the security risks of users accessing Salesforce froma public Wi-Fi access point or choosing passwords that are the same as their Facebook password. 2FA is an additional layer of protection beyond your password that requires users to verify their identity with another factor, such as a mobile app, a securitykey, or a verification code. This can prevent unauthorized access even if the user's password is compromised or guessed by a malicious actor. The other options are not directly related to 2FA, but rather to user behavior or password policies.


NEW QUESTION # 46
A service provider (SP) supports both Security Assertion Markup Language (SAML) and OpenID Connect (OIDC).
When integrating this SP with Salesforce, which use case is the determining factor when choosing OIDC or SAML?

  • A. The SP needs to perform API calls back to Salesforce on behalf of the user after the user logs in to the service provider.
  • B. If the user has a session on Salesforce, you do not want them to be prompted for a username and password when they login to the SP.
  • C. OIDC is more secure than SAML and therefore is the obvious choice.
  • D. They are equivalent protocols and there is no real reason to choose one over the other.

Answer: A

Explanation:
Explanation
When integrating a SP that supports both SAML and OIDC with Salesforce, the use case that is the determining factor when choosing OIDC or SAML is whether the SP needs to perform API calls back to Salesforce on behalf of the user after the user logs in to the service provider. OIDC is a protocol that allows users to authorize an external application to access Salesforce resources on their behalf. OIDC provides an access token that can be used to call Salesforce APIs. SAML is a protocol that allows users to authenticate and authorize with an external identity provider and access Salesforce resources. SAML does not provide an access token, but only a session ID that can be used for web-based access. Therefore, if the SP needs to perform API calls back to Salesforce, OIDC is the preferred choice over SAML. References: OpenID Connect, SAML, Authorize Apps with OAuth


NEW QUESTION # 47
Universal Containers (UC) is looking to build a Canvas app and wants to use the corresponding Connected App to control where the app is visible. Which two options are correct in regards to where the app can be made visible under the Connected App setting for the Canvas app? Choose 2 answers

  • A. As part of the body of a Salesforce Knowledge article.
  • B. The sidebar of a Salesforce Console as a console component.
  • C. In the mobile navigation menu on Salesforce for Android.
  • D. Included in the Call Control Tool that's part of Open CTI.

Answer: A,B


NEW QUESTION # 48
Universal Containers (UC) is looking to build a Canvas app and wants to use the corresponding Connected App to control where the app is visible. Which two options are correct in regards to where the app can be made visible under the Connected App setting for the Canvas app? Choose 2 answers

  • A. The sidebar of a Salesforce Console as a console component.
  • B. As part of the body of a Salesforce Knowledge article.
  • C. Included in the Call Control Tool that's part of Open CTI.
  • D. In the mobile navigation menu on Salesforce for Android.

Answer: A,C

Explanation:
Explanation
The sidebar of a Salesforce Console as a console component and included in the Call Control Tool that's part of Open CTI are two options that are correct in regards to where the app can be made visible under the connected app settings for the Canvas app. A Canvas app is an external application that can be embedded within Salesforce using an iframe. A connected app is an application that integrates with Salesforce using APIs and uses OAuth as the authentication protocol. You can control where a Canvas app can be displayed in Salesforce by configuring the locations in the connected app settings. The sidebar of a Salesforce Console as a console component is a valid location for a Canvas app because it allows you to display the app as a collapsible panel on the side of any console app. Included in the Call Control Tool that's part of Open CTI is a valid location for a Canvas app because it allows you to display the app as part of the softphone panel that integrates with your telephony system. As part of the body of a Salesforce Knowledge article is not a valid location for a Canvas app because it is not supported by the connected app settings. In the mobile navigation menu on Salesforce for Android is not a valid location for a Canvas app because it is not supported by the connected app settings. References: : [Canvas Developer Guide] : [Connected Apps Overview] : [Add or Remove Components from Your Console Apps] : [Open CTI Developer Guide]


NEW QUESTION # 49
Universal Containers (UC) has five Salesforce orgs (UC1, UC2, UC3, UC4, UC5). of Every userthat is in UC2, UC3, UC4, and UC5 is also in UC1, however not all users 65* have access to every org. Universal Containers would like to simplify the authentication process such that all Salesforce users need to remember one set of credentials. UC would like to achieve this with the least impact to cost and maintenance. What approach should an Architect recommend to UC?

  • A. Purchase a third-party Identity Provider for all five Salesforce orgs to use, but don't set up JIT user provisioning for other orgs.
  • B. Configure UC1 as the Identity Provider to the other four Salesforce orgs and set up JIT user provisioning on all other orgs.
  • C. Purchase a third-party Identity Provider for all five Salesforce orgs to use and set up JIT user provisioning on all other orgs.
  • D. Configure UC1 as the Identity Provider to the other four Salesforce orgs, but don't set up JIT user provisioning for other orgs.

Answer: B

Explanation:
The best approach to simplify the authentication process and reduce cost and maintenance is to configure UC1 as the Identity Provider to the other four Salesforce orgs and set up JIT user provisioning on all other orgs. This way, users can log in to any of thefive orgs using their UC1 credentials, and their user accounts will be automatically created or updated in the other orgs based on the information from UC11. This eliminates the need to purchase a third-party Identity Provider or manually provision users in advance. The other options are not optimal forthis requirement because:
* Purchasing a third-party Identity Provider for all five Salesforce orgs would incur additional cost and maintenance, and would not leverage the existing user base in UC1.
* Not setting up JIT user provisioning for other orgs would require manually creating or updating user accounts in each org, which would be time-consuming and error-prone. References: Salesforce as an Identity Provider, Identity Providers and Service Providers, Just-in-Time Provisioning for SAML


NEW QUESTION # 50
A public sector agency is setting up an identity solution for its citizens using a Community built on Experience Cloud and requires the new user registration functionality to capture first name, last name, and phone number.
The phone number will be used for identity verification.
Which feature should an identity architect recommend to meet the requirements?

  • A. Integrate with social websites (Facebook, Linkedin. Twitter)
  • B. Use an external Identity Provider
  • C. Create a custom Lightning Web Component
  • D. Use Login Discovery

Answer: D

Explanation:
Explanation
Login Discovery allows the administrator to configure a custom login page that collects additional information from users, such as phone number, and use it for identity verification. Login Discovery can also be used to route users to different identity providers based on their input. References: Login Discovery, Customize Your Experience Cloud Site Login Process


NEW QUESTION # 51
Universal Containers (UC) is building a custom Innovation platform on their Salesforce instance. The Innovation platform will be written completely in Apex and Visualforce and will use custom objects to store the Data. UC would like all users to be able to access the system without having to log in with Salesforce credentials. UC will utilize a third-party idp using SAML SSO. What is the optimal Salesforce licence type for all of the UC employees?

  • A. Identity Licence.
  • B. External Identity Licence.
  • C. Salesforce Platform Licence.
  • D. Salesforce Licence.

Answer: C

Explanation:
Explanation
The optimal Salesforce license type for all of the UC employees who will access the custom Innovation platform without logging in with Salesforce credentials is the Salesforce Platform license. The Salesforce Platform license allows users to access custom applications built on the Lightning Platform, such as Apex and Visualforce, and use standard objects such as accounts, contacts, reports, dashboards, and custom tabs. It also supports SSO with a third-party identity provider using SAML. Option A is not a good choice because the Identity license is designed for users who need to access Salesforce Identity features, such as identity provider, social sign-on, and user provisioning, but not for users who need to access custom applications. Option B is not a good choice because the Salesforce license is designed for users who need full access to standard CRM and Lightning Platform features, such as leads, opportunities, campaigns, forecasts, and contracts, but it may be unnecessary or expensive for users who only need to access custom applications. Option C is not a good choice because the External Identity license is designed for users who are external to the organization, such as customers or partners, but not for users who are internal employees.
References: Salesforce Help: User License Types, [Salesforce Help: Single Sign-On for Desktop and Mobile Applications using SAML and OAuth]


NEW QUESTION # 52
Universal Containers (UC) implemented SSO to a third-party system for their Salesforce users to access the App Launcher. UC enabled "User Provisioning" on the Connected App so that changes to user accounts can be synched between Salesforce and the third-party system. However, UC quickly notices that changes to user roles in Salesforce are not getting synched to the third-party system. What is the most likely reason for this behavior?

  • A. The Approval queue for User Provisioning Requests is unmonitored.
  • B. Salesforce roles have more than three levels in the role hierarchy.
  • C. User Provisioning for Connected Apps does not support role sync.
  • D. Required operation(s) was not mapped in User Provisioning Settings.

Answer: D

Explanation:
Explanation
User Provisioning for Connected Apps supports role sync, but the required operation(s) must be mapped in User Provisioning Settings. According to the Salesforce documentation1, "To provision roles, map the Role operation to a field in the connected app. The field must contain the role's unique name." Therefore, option B is the correct answer.
References: Salesforce Documentation


NEW QUESTION # 53
Northern Trail Outfitters (NTO) recently purchased Salesforce Identity Connect to streamline user provisioning across Microsoft Active Directory (AD) and Salesforce Sales Cloud.
NTO has asked an identity architect to identify which salesforce security configurations can map to AD permissions.
Which three Salesforce permissions are available to map to AD permissions?
Choose 3 answers

  • A. Field-Level Security
  • B. Public Groups
  • C. Roles
  • D. Profiles and Permission Sets
  • E. Sharing Rules

Answer: B,C,D

Explanation:
Salesforce Identity Connect can map AD groups to Salesforce public groups, roles, profiles, and permission sets. These permissions control the access and visibility of data and features in Salesforce. References:
Salesforce Identity Connect Implementation Guide


NEW QUESTION # 54
Universal containers (UC) is building a mobile application that will make calls to the salesforce REST API.
Additionally UC would like to provide the optimal experience for its mobile users. Which two OAuth scopes should UC configure in the connected App? Choose 2 answers

  • A. full
  • B. Web
  • C. API
  • D. Refresh token

Answer: C,D


NEW QUESTION # 55
Universal Containers (UC) has built a custom token-based Two-factor authentication (2FA) system for their existing on-premise applications. They are now implementing Salesforce and would like to enable a Two-factor login process for it, as well. What is the recommended solution as Architect should consider?

  • A. Use the custom 2FA system for on-premise applications and native 2FA for Salesforce.
  • B. Replace the custom 2FA system with an AppExchange App that supports on premise application and salesforce.
  • C. Replace the custom 2FA system with Salesforce 2FA for on-premise applications and Salesforce.
  • D. Use Custom Login Flows to connect to the existing custom 2FA system for use in Salesforce.

Answer: C


NEW QUESTION # 56
Northern Trail Outfitters recently acquired a company. Each company will retain its Identity Provider (IdP).
Both companies rely extensively on Salesforce processes that send emails to users to take specific actions in Salesforce.
How should the combined companys' employees collaborate in a single Salesforce org, yet authenticate to the appropriate IdP?

  • A. Have generated links be prefixed with the appropriate IdP URL to invoke an IdP-initiated Security Assertion Markup Language flow when clicked.
  • B. Configure unique MyDomains for each company and have generated links use the appropriate MyDomam in the URL.
  • C. Have generated links append a querystnng parameter indicating the IdP. The login service will redirect to the appropriate IdP.
  • D. Enable each IdP as a login option in the MyDomain Authentication Service settings. Users will then click onthe appropriate IdP button.

Answer: D

Explanation:
To allow employees to collaborate in a single Salesforce org, yet authenticate to the appropriate IdP, the identity architect should enable each IdP as a login option in the MyDomain Authentication Service settings.
Users will then click on the appropriate IdP button. MyDomain is a feature that allows administrators to customize the Salesforce login URL with a unique domain name. Authentication Service is a setting that allows administrators to enable different authentication options for users, such as social sign-on or single sign- on with an external IdP. By enabling each IdP as a login option in the MyDomain Authentication Service settings, the identity architect can provide a user-friendly and secure way for employees to log in to Salesforce using their preferred IdP. References: MyDomain, Authentication Service


NEW QUESTION # 57
Universal Container's (UC) identity architect needs to recommend a license type for their new Experience Cloud site that will be used by external partners (delivery providers) for reviewing and updating their accounts, downloading files provided by UC and obtaining scheduled pickup dates from their calendar.
UC is using their Salesforce production org as the identity provider for these users and the expected number of individual users is 2.5 million with 13.5 million unique logins per month.
Which of the following license types should be used to meet the requirement?

  • A. External Apps License
  • B. Customer Community plus Login License
  • C. Partner CommunityLicense
  • D. Partner Community Login License

Answer: D

Explanation:
Partner Community Login License is the best option for UC's use case, as it allows external partners to access Experience Cloud sites and Salesforce data with a pay-per-login model. The other license types are either too expensive or not suitable for partner users. References: Experience Cloud User Licenses, Salesforce Experience Cloud Pricing


NEW QUESTION # 58
......

Authentic Identity-and-Access-Management-Architect Dumps With 100% Passing Rate Practice Tests Dumps: https://www.prep4surereview.com/Identity-and-Access-Management-Architect-latest-braindumps.html

Salesforce Identity-and-Access-Management-Architect Real Exam Questions Guaranteed Updated Dump from Prep4SureReview: https://drive.google.com/open?id=1-I5j276HAIClpWe-4ow9zSj8OAl7Skek