Salesforce-Platform-Identity-and-Access-Management-Architect Exam Questions With Explanations

The best Salesforce-Platform-Identity-and-Access-Management-Architect practice exam questions with research based explanations of each question will help you Prepare & Pass the exam!

Over 15K Students have given a five star review to SalesforceKing

Why choose our Practice Test

By familiarizing yourself with the Salesforce-Platform-Identity-and-Access-Management-Architect exam format and question types, you can reduce test-day anxiety and improve your overall performance.

Up-to-date Content

Ensure you're studying with the latest exam objectives and content.

Unlimited Retakes

We offer unlimited retakes, ensuring you'll prepare each questions properly.

Realistic Exam Questions

Experience exam-like questions designed to mirror the actual Salesforce-Platform-Identity-and-Access-Management-Architect test.

Targeted Learning

Detailed explanations help you understand the reasoning behind correct and incorrect answers.

Increased Confidence

The more you practice, the more confident you will become in your knowledge to pass the exam.

Study whenever you want, from any place in the world.

Salesforce Salesforce-Platform-Identity-and-Access-Management-Architect Exam Sample Questions 2026

Start practicing today and take the fast track to becoming Salesforce Salesforce-Platform-Identity-and-Access-Management-Architect certified.

21084 already prepared
Salesforce 2026 Release
108 Questions
4.9/5.0

Salesforce User Authentication

A multinational industrial products manufacturer is planning to implement Salesforce CRM to manage their business. They have the following requirements:

1. They plan to implement Partner communities to provide access to their partner network.
2. They have operations in multiple countries and are planning to implement multiple Salesforce orgs.
3. Some of their partners do business in multiple countries and will need information from multiple Salesforce communities.
4. They would like to provide a single login for their partners.

How should an Identity Architect solution this requirement with limited custom development?

A. Create a partner login for the country of their operation and use SAML federation to provide access to other orgs.

B. Register partners in one org and access information from other orgs using APIs.

C. Allow partners to choose the Salesforce org they need information from and use login flows to authenticate access.

D. Consolidate Partner related information in a single org and provide access through Salesforce community.

D.   Consolidate Partner related information in a single org and provide access through Salesforce community.

Explanation:

This question addresses a common scenario where a company operates multiple Salesforce orgs across different countries but wants partners doing business in multiple countries to have a single login experience. The key requirement is to avoid "limited custom development." The most architecturally sound approach is to consolidate all partner-facing data into one primary org and use Experience Cloud communities to provide access. Using SAML federation between orgs or multiple API integrations would require significant custom development and maintenance. Partner Connect is designed for this, providing a read-only glimpse between orgs without complex code. However, consolidating data into a single org is the simplest path for "limited custom development."

✔️ Correct Option:

✔️ D. Consolidate Partner related information in a single org and provide access through Salesforce community.
By centralizing all partner-relevant data (opportunities, cases, inventory) from multiple countries into a single Salesforce org, the partner only needs one set of credentials to access one community. SAML SSO can be configured for that single community . This simplifies the architecture drastically compared to complex org-to-org integrations. It requires data migration but almost zero ongoing custom code for authentication.

❌ Incorrect options:

❌ A. Create a partner login for the country of their operation and use SAML federation to provide access to other orgs.
This implies the partner logs into one org and is "federated" to another. While SAML can connect orgs , this requires the Service Provider (Org B) to trust the Identity Provider (Org A). This setup is complex, requires custom Apex handlers to pass context between orgs, and violates the "limited custom development" constraint.

❌ B. Register partners in one org and access information from other orgs using APIs.
This would involve the community org making real-time API callouts to other country-specific orgs every time a partner requests data . This requires extensive Apex coding for API integration, error handling, and bulk data synchronization, violating the "limited custom development" requirement.

❌ C. Allow partners to choose the Salesforce org they need information from and use login flows to authenticate access.
This option makes the partner responsible for navigating multiple systems and logging in multiple times. It directly violates the requirement to "provide a single login for their partners" and creates a poor user experience.

🔧 Reference:
Salesforce Help: Authenticate Experience Cloud Site Users
Confirms experience cloud sites support SAML SSO, and Salesforce supports SSO between multiple orgs, but a single centralized community is the standard pattern for simplicity.

A company with 15,000 employees is using Salesforce and would like to take the necessary steps to highlight or curb fraudulent activity.

Which tool should be used to track login data, such as the average number of logins, who logged in more than the average number of times and who logged in during non-business hours?

A. Login Inspector

B. Login Forensics

C. Login Report

D. Login History

B.   Login Forensics

Explanation:
To detect fraudulent activity like unusual login frequency or off-hours access, Salesforce provides Event Monitoring which includes LoginForensics (part of Login Analytics). LoginForensics analyzes login patterns, calculates averages, and surfaces anomalous behavior such as users exceeding average login counts or logging in outside business hours.

Correct Option:

B. Login Forensics
Login Forensics is a feature within Salesforce Event Monitoring (Login Analytics). It uses machine learning and statistical analysis to identify anomalies in login behavior. It can show average logins per user, flag users logging in during non-business hours, and highlight users who exceed the average. This is specifically designed for security monitoring and fraud detection.

Incorrect Options:

A. Login Inspector
There is no standard Salesforce feature called "Login Inspector." This may be confused with Login Forensics or a third-party tool. It is not a valid native tool for tracking average logins or off-hours activity.

C. Login Report
Standard login reports (from Login History) can show raw login events but cannot calculate averages, compare users against averages, or automatically highlight anomalies. Login reports require manual analysis and do not provide the behavioral analytics needed for fraud detection.

D. Login History
Login History is a standard setup audit trail showing raw login events (timestamp, user, IP, status). It does not compute averages, flag off-hours logins automatically, or identify anomalous patterns. While useful for basic auditing, it lacks the advanced analytics required for this use case.

Reference:

Salesforce Help Article: "Monitor Login Activity with Event Monitoring – Login Forensics"

Trailhead: "Event Monitoring for Security" – Unit on "Login Forensics"

Salesforce Architect Documentation: "Login Forensics Metrics (Average Logins, Off-Hours Access)"

A public sector agency is setting up an identity solution for its citizens using a Community built on Experience Cloud and requires the new user registration functionality to capture first name, last name, and phone number. The phone number will be used for passwordless login.

Which feature should an identity architect recommend to meet the requirements?

A. Integrate with social websites (Facebook, LinkedIn, Twitter)

B. Use Login Discovery

C. Create a custom Lightning Web Component

D. Use an external Identity Provider

B.   Use Login Discovery

Explanation:
The agency needs new user registration capturing first name, last name, and phone number, with phone number used for passwordless login. Login Discovery (specifically the Login Flow feature) allows a no-code flow that presents registration screens conditionally, collects user attributes, and can trigger phone-based verification (OTP) without a custom component or external IdP.

Correct Option:

B. Use Login Discovery
Login Discovery (via Login Flows) enables administrators to create a screen flow that runs before a user is fully authenticated. It can collect name and phone number, verify the phone via SMS OTP, and then either register a new user or authenticate an existing one using passwordless login. This meets all requirements declaratively without custom code or external integrations.

Incorrect Option:

A. Integrate with social websites (Facebook, LinkedIn, Twitter)
Social login integrates existing social identities but does not natively capture phone number for passwordless login. Social providers typically return email, not phone. Additionally, this adds complexity and an external dependency, with no native phone verification flow tied to registration.

C. Create a custom Lightning Web Component
An LWC could be built to capture these fields, but that requires development, testing, and maintenance. Login Discovery provides a declarative, supported alternative with built-in phone verification actions. The question asks for a feature recommendation, not a custom coding approach.

D. Use an external Identity Provider
An external IdP (e.g., Okta, Auth0) could handle phone-based passwordless login, but this adds cost and integration effort. Salesforce Identity can natively achieve the same using Login Discovery with phone verification. An external IdP is unnecessary and violates choosing the simplest in-platform solution.

Reference:

Salesforce Help Article: "Login Flows for Phone Verification and Passwordless Login"

Trailhead: "Identity and Access Management for Architects" – Unit on "Login Discovery"

Salesforce Architect Documentation: "Passwordless Login Using Login Flows"

An identity architect has been asked to recommend a solution that allows administrators to configure personalized alert messages to users before they land on the Experience Cloud site (formerly known as Community) homepage.

What is recommended to fulfill this requirement with the least amount of customization?

A. Customize the registration handler Apex class to create a routing logic navigating to different home pages based on the user profile.

B. Use Login Flows to add a screen that shows personalized alerts.

C. Create custom metadata that stores user alerts and use a LWC to display alerts.

D. Build a Lightning Web Component (LWC) for a homepage that shows custom alerts.

B.   Use Login Flows to add a screen that shows personalized alerts.

Explanation:
The requirement is to show personalized alert messages to users before they land on the Experience Cloud homepage, with the least customization. Login Flows (formerly known as Login Discovery or Authentication Flows) allow administrators to add screens with custom logic and messages after authentication but before the user accesses the site, without writing Apex or building components.

Correct Option:

B. Use Login Flows to add a screen that shows personalized alerts.
Login Flows are a declarative, point-and-click feature in Salesforce. An administrator can create a Login Flow that triggers after successful authentication but before the user reaches the Experience Cloud homepage. The flow can include conditional logic to show different alert messages based on user profile, attributes, or time of day. This requires no Apex, LWC, or custom metadata, making it the least customization option.

Incorrect Option:

A. Customize the registration handler Apex class to create a routing logic navigating to different home pages based on the user profile.
This requires writing Apex and custom navigation logic, which is not "least customization." Registration handlers are designed for user provisioning during registration, not for post-login alerts before homepage rendering. This approach is overly complex and misaligned.

C. Create custom metadata that stores user alerts and use a LWC to display alerts.
Building a custom Lightning Web Component plus custom metadata types requires development effort. The alert would display on the homepage, not before landing on it. This does not meet the "before they land on the homepage" requirement and involves significant customization.

D. Build a Lightning Web Component (LWC) for a homepage that shows custom alerts.
Similar to option C, this displays alerts on the homepage, not before it. Users would first see the homepage, then the alert. Additionally, building an LWC requires development and deployment, which is far more customization than a declarative Login Flow.

Reference:

Salesforce Help Article: "Login Flows – Add Screens Before Users Access an Experience Cloud Site"

Trailhead: "Identity and Access Management for Architects" – Unit on "Login Discovery and Login Flows"

Salesforce Architect Documentation: "Login Flows for Experience Cloud"

An administrator created a connected app for a custom web application in Salesforce which needs to be visible as a tile in App Launcher. The tile for the custom web application is missing in the app launcher for all users in Salesforce. The administrator requested assistance from an identity architect to resolve the issue. Which two reasons are the source of the issue? Choose 2 answers

A. Session Policy is set as “High Assurance Session required” for this connected app.

B. The connected app is not set in the App menu as “Visible in App Launcher”.

C. Statutes, for the connected app is not set in Connected App settings.

D. Obtain scope does not include “openid”.

B.   The connected app is not set in the App menu as “Visible in App Launcher”.
C.   Statutes, for the connected app is not set in Connected App settings.

Explanation:

The App Launcher is a central hub for users to access all their authorized applications. For a Connected App to appear as a tile there, several administrative checkboxes and metadata fields must be correctly configured.

Why B and C are the source of the issue

The App Menu Visibility (Option B)
Even if a Connected App is created and the user has permission to access it, it will not show up in the App Launcher unless it is explicitly set to "Visible in App Launcher" within the App Menu setup. Administrators use this to curate the list of apps that clutter or clarify the user's workspace.

The Start URL/Status (Option C)
A tile in the App Launcher is essentially a link. If the Start URL is missing in the Connected App settings, Salesforce doesn't know where to send the user, and therefore often won't display the tile. Additionally, if the app is not in an "Installed" or "Active" status within the specific org (common in managed package scenarios), it remains hidden.

Why the other options are incorrect

Session Policy (High Assurance)
This policy forces a user to provide a second factor (MFA) after clicking the tile but before accessing the app. It does not hide the tile itself; it simply adds a security gate during the transition.

OpenID Scope
The openid scope is required for the application to receive an ID token during the authentication handshake. However, the presence or absence of a specific OAuth scope does not dictate whether the app's icon appears in the Salesforce UI.

References
Salesforce Help: Manage the App Menu
Salesforce Help: Why is my Connected App missing from the App Launcher?

Prep Smart, Pass Easy Your Success Starts Here!

Transform Your Test Prep with Realistic Salesforce-Platform-Identity-and-Access-Management-Architect Exam Questions That Build Confidence and Drive Success!

This is Content Area.