Free Salesforce-Platform-Identity-and-Access-Management-Architect Practice Test Questions (2026)

Explanation:

Universal Containers wants to use Salesforce Identity (as the Identity Provider) to control access to a custom time tracking app built on a third-party system. This scenario requires Salesforce users (internal employees) to authenticate via Salesforce and gain SSO access to the external app, typically through a Connected App configured with SAML, OAuth, or delegated authentication.

The minimum license required for this use case is the Identity Only license.

Why "Identity Only"?
This license is specifically designed for internal employees who only need access to Salesforce Identity services (such as SSO to external/connected applications) without needing access to Salesforce CRM data, objects, reports, or standard apps.
It allows users to log in to third-party applications integrated with Salesforce Identity while keeping costs minimal for users who do not require full Salesforce platform access.
In the context of the exam, this is the standard recommendation when Salesforce acts as the IdP for employee access to external apps.

Why the other options are incorrect
External Identity — This license is intended for external users (customers, partners, or self-service scenarios) in Experience Cloud (formerly Communities). It provides limited access to some standard and custom objects for self-service portals, not for internal employees accessing a third-party employee time-tracking app.
Identity Connect — This is a tool/product for synchronizing users and groups between Salesforce and external directories (e.g., Active Directory), not a user license.
Identity Verification — This refers to add-on features or credits for identity verification (e.g., via SMS, authenticator apps, or third-party services for MFA/enhanced security), not a base license for SSO access control.

Reference
According to Salesforce documentation on Identity Licenses:
Identity Only licenses provide extra capacity for employees to use identity services like single sign-on (SSO) to connected apps without a full Salesforce or Platform license.

This aligns directly with the exam's focus on choosing the right license type for Salesforce as an Identity Provider (IdP) scenarios involving internal users and third-party applications.

Explanation:
NTO needs a partner portal with external IdP (Ping Identity) and one registration per partner to avoid duplicates. The solution must ensure the partner registers first in Experience Cloud, not directly in the IdP, so Salesforce can enforce uniqueness before the identity is propagated externally. The recommended pattern is IdP-initiated after local registration.

Correct Option:

A. Create a custom page in Experience Cloud to self register partner with Experience Cloud and Ping Identity store.
This allows NTO to enforce business rules (unique partner registration) within Salesforce before or while creating the identity in Ping. Experience Cloud self-registration can be extended to call Ping’s API to provision the external identity after Salesforce validation, preventing duplicates.

Incorrect Option:

B. On successful creation of Partners using Self Registration page in Experience Cloud, create Identity in Ping.
While similar to A, this option lacks the “custom page” aspect. Standard self-registration may not seamlessly trigger Ping user creation without customization. More importantly, option A explicitly includes the custom page needed for external IdP provisioning, making B incomplete and less precise.

C. Create a custom web page in the Portal and create users in the IdP and Experience Cloud using published APIs.
This reverses the flow. Creating the user in IdP first or simultaneously without Salesforce-first validation risks duplicates. Salesforce should be the system of record for partner uniqueness. Also, “Portal” is vague — Experience Cloud is the correct term.

D. Allow partners to register through the IdP and create partner users in Salesforce through an API.
This is IdP-initiated registration, which bypasses Salesforce’s duplicate prevention at the point of entry. By the time Salesforce receives the user via API, a duplicate might have already been created in the IdP, violating the “register only once” requirement.

Reference:
Salesforce Identity and Access Management Architect Guide — “External Identity Provider with Experience Cloud” and “Just-in-Time Provisioning vs. API Provisioning”; Trailhead: “Identity for Partners and Customers” module.

Explanation:

This question tests dynamic branding in an OAuth 2.0 flow where Heroku acts as the client and Experience Cloud as the IdP. The user selects a brand in Heroku before authorization. The IdP must render a login page with brand-specific images dynamically. Login Flows allow runtime decisions based on incoming parameters.

✔️ Correct Option:

✔️ A. Create multiple login screens using Experience Builders and use Login Flows at runtime to route to different login screens.
Login Flows evaluate the brand preference passed from Heroku (e.g., via display or custom parameter). Based on that value, the flow redirects the user to a brand-specific login screen built in Experience Builder. This enables dynamic image rendering before credentials are entered, meeting the requirement without multiple communities.

❌ Incorrect options:

❌ B. Authorize third-party service by sending authorization requests to the community. Authorizes/search? authorize?node=value.
This option contains malformed and non‑standard OAuth syntax. More critically, it does not address dynamic login screen rendering based on brand preference. Authorization parameters alone cannot change the login page UI at runtime.

❌ C. For each brand create different communities and redirect users to the appropriate community using a custom Login controller written in Apex.
Creating separate communities for each brand is over‑engineered and costly. While technically possible, Salesforce recommends Login Flows for dynamic branding within a single community. Custom Apex controllers add unnecessary maintenance complexity for this use case.

❌ D. Authorize third-party service by sending authorization requests to the community. Authorizes/search? authorize?coside_value.
This option contains a typo ("coside_value") and invalid OAuth syntax. Like option B, it only describes authorization request formatting and provides no mechanism to dynamically render brand‑specific login page images before authentication.

🔧 Reference:
→ Salesforce Help: Customize Login Experiences with Login Flows
Confirms that Login Flows can route users to different login pages, communities, or experience sites based on runtime criteria such as URL parameters, enabling dynamic branding.

Explanation:

In this scenario, UC wants to:
Store user credentials in AWS (so AWS is the identity source).
Allow users to access Salesforce for internal operations using those AWS-stored credentials.

This means AWS will act as the Identity Provider (IdP), and Salesforce will be the Service Provider (SP) that trusts AWS to authenticate users. To integrate an external IdP (AWS) with Salesforce for user authentication and authorization, you configure the external IdP as an OpenID Connect (OIDC) Provider in Salesforce. This allows Salesforce to accept OIDC tokens from AWS and map them to Salesforce users for Single Sign-On (SSO).

Analysis of Other Options
Create a custom external authentication provider: This is a misdirection. While you do create an Authentication Provider in Salesforce, it is not "custom" in the sense of building a new authentication system. Instead, you configure a standard OpenID Connect Authentication Provider in Salesforce and point it to AWS Cognito or another OIDC-compliant service.

Develop a custom Auth server in AWS: This approach is unnecessary and overly complex. AWS already provides managed identity services such as Amazon Cognito, which fully supports OpenID Connect. There is no need to build a custom authorization server when a standards-based solution already exists.

Configure the custom employee app as a connected app: A Connected App in Salesforce is used when Salesforce acts as the Identity Provider or when external applications need API access. In this case, AWS is the Identity Provider, so the employee app does not need to be configured as a Connected App for authentication into Salesforce. Instead, Salesforce must be configured to trust AWS.

Conclusion
The correct approach is to configure AWS (using Cognito User Pools) as an OpenID Connect Provider in Salesforce Authentication Provider settings. This establishes AWS as the identity source and allows users stored in AWS to authenticate seamlessly into Salesforce using Single Sign-On.

Reference
Salesforce Help: Set Up an OpenID Connect Authentication Provider
Salesforce Identity Implementation Guide: Authentication Providers for inbound SSO

Explanation:
Universal Containers needs a B2C application with SSO using Salesforce Identity. For external consumers (not employees or partners), the appropriate license must support authentication, profile management, and social sign-on without requiring full CRM or community access. Salesforce offers specific Identity licenses for external users.

Correct Option:

C. External Identity
The External Identity license is designed specifically for B2C and external identity use cases. It allows unlimited external users to authenticate via Salesforce Identity, including SSO, social logins, and registration flows. Users get an identity record but no access to Salesforce CRM or Experience Cloud pages, making it cost-effective for pure authentication scenarios.

Incorrect Option:

A. Salesforce Platform
This license provides access to custom objects and apps but is intended for internal employees or partners building custom applications. It is not optimized for B2C SSO, has higher per-user costs, and includes platform access that external consumers do not need.

B. Partner Community
Partner Community licenses are for B2B scenarios where partners need access to cases, opportunities, or custom objects. They include Contact and Account relationships and are too expensive and feature-heavy for simple B2C SSO. Also, they require a partner account model.

D. Identity Only
This is a deprecated license from older Salesforce Identity offerings. The current recommended license for B2C SSO is External Identity. Identity Only is no longer available for new implementations and lacks modern features like social sign-on and progressive profiling.

Reference:

Salesforce Help Article: "External Identity License" – Learn about licenses for external users.

Salesforce Identity and Access Management Architect Guide – "Selecting the Right License Type for External Users."

Trailhead: "Get Started with Salesforce Identity for External Users" – Unit on External Identity vs. Community Licenses.

Explanation:

This question tests knowledge of B2B partner provisioning in Salesforce Experience Cloud with SAML SSO and delegated administration. Partners need authentication (User record) and data association (Contact record). Delegated administration requires the Contact to be under the partner's Account hierarchy. Missing either record breaks SSO or partner management.

✔️ Correct Option:

✔️ A. Create a user and a related contact.
A User record stores login credentials, SAML federation ID, and profile/permissions. A related Contact links the user to a specific partner Account, enables partner hierarchy visibility, and is mandatory for delegated administration—allowing partner admins to manage only their own users. Both records together satisfy authentication, data ownership, and delegation requirements.

❌ Incorrect options:

❌ B. Create only a contact.
A Contact is a data object (name, email, phone) without login capabilities. It cannot store a SAML federation ID, assign a profile, or authenticate via an identity provider. Without a User record, the partner cannot access the Experience Cloud site at all.

❌ C. Create a contactless user.
A User without a Contact exists but has no relationship to any partner Account. Delegated administration fails because the system cannot determine which partner Account owns the user. Also, partner reports, account teams, and community sharing rules typically depend on the Contact-Account link.

❌ D. Create a person account.
Person Accounts combine Contact and Account fields into a single record, intended for B2C scenarios (e.g., retail customers). They do not support standard B2B partner delegation, cannot be used as parent accounts for multiple partner users, and often cause compatibility issues with Experience Cloud partner portal features.

🔧 Reference:
→ Salesforce Help: Set Up Partner Users in Experience Cloud
Confirms that each partner user requires both a User record (for login and permissions) and a Contact record (to link to a partner Account), and that delegated administration depends on this Contact-Account relationship.

Explanation:

Northern Trail Outfitters wants to implement passwordless login for its customer service portal (Experience Cloud) using a one-time passcode (OTP) sent via email or SMS.

Here’s how Identity Verification Credits work in this context:

Email-based verification (one-time passcode sent to email) → Free (no credits consumed).
SMS-based verification (one-time passcode sent via text message) → Consumes Identity Verification Credits.

Identity Verification Credits are a usage-based add-on (not a fixed user license). They are consumed per SMS message sent for identity verification purposes, including:

Passwordless login OTPs
MFA challenges
Other verification flows (e.g., registration, password reset)

Why Option C is Correct
It accurately states that credits are consumed with each SMS sent.
Estimation must be based on the number of login verification challenges where users choose (or are routed to) SMS as the delivery method.
Since customers can choose email or SMS, estimation should be based on the projected percentage of users who will use SMS, not total logins.

Why the Other Options Are Incorrect
A: Incorrect. It states “with each verification sent” which is too broad. Email verifications do not consume credits. Only SMS-based verifications consume credits.

B: Incorrect. There is no standard 10,000 free credits per community per month. Identity Verification Credits are not allocated as a fixed free monthly quota per community; they are consumption-based and billed according to usage.

D: Incorrect. Identity Verification Credits are not directly tied to the number of Community licenses. They are a consumption-based entitlement similar to usage-based services like API calls or messaging, not a per-license allocation.

Key Takeaways for the Exam
Email OTP in passwordless login → No cost (no credits consumed).
SMS OTP → Consumes Identity Verification Credits.

When estimating usage, consider:
Total expected logins per month.
Percentage of users likely to choose SMS vs email.
Additional buffer for retries, failed attempts, or resend scenarios.

This is a classic licensing and estimation scenario that tests understanding of Experience Cloud identity features and usage-based billing behavior.

Explanation:
Dynamic branding in Experience Cloud allows different brands or sub-brands to display unique logos, colors, and content based on a URL parameter, without creating separate sites. This is useful when multiple partner or customer entities access the same Experience Cloud site but require distinct visual identities during and after login.

Correct Options:

B. To use dynamic branding, the community must be built with the Customer Account Portal template.
The Customer Account Portal template is specifically designed to support dynamic branding features. This template includes the necessary components and architecture to switch branding assets based on the account or URL parameter. Other templates like Partner Central or Tabs + Salesforce Tabs do not offer this capability natively.

D. An experience ID (expid) or placeholder parameter must be used in the URL to represent the brand.
Dynamic branding is triggered by adding an expid (experience ID) parameter or a custom placeholder in the Experience Cloud URL. This value maps to a specific brand configuration, enabling different logos, themes, and navigation menus. Without this parameter, the system cannot determine which brand to display.

Incorrect Options:

A. To use dynamic branding, the community must be built with the Audience + Salesforce Tabs template.
This template is designed for audience targeting and role-based content, not for dynamic branding. It does not support the expid parameter or brand switching. Dynamic branding is a feature of the Customer Account Portal template only, not the Audience template.

C. An external content management system (CMS) must be used for dynamic branding on Experience Cloud sites.
An external CMS is not required. Dynamic branding is handled natively within Experience Cloud using brand sets, themes, and the expid parameter. While an external CMS could theoretically be integrated, it is not a requirement and adds unnecessary complexity.

Reference:

Salesforce Help Article: "Add Dynamic Branding to Your Experience Cloud Site"

Trailhead: "Build Branded Experiences with Experience Cloud" – Unit on "Dynamic Branding"

Salesforce Architect Documentation: "Experience Cloud Dynamic Branding Implementation Guide"

Explanation:
For a mobile-first CIAM solution supporting email or mobile phone number as username, the primary license must cover external user authentication. Additionally, to verify mobile phone numbers during registration or login (e.g., one-time passcodes), SMS verification credits are required separately. Email verification is handled differently and does not require dedicated credits.

Correct Options:

A. External Identity Licenses
External Identity licenses are specifically designed for B2C/CIAM use cases. They allow external users to authenticate using Salesforce Identity features such as registration, login, social sign-on, and support for alternate usernames (email or phone number). These licenses do not include CRM or community access, making them cost-effective for pure authentication scenarios.

D. SMS Verification Credits
When users authenticate using a mobile phone number as username, one-time passcodes (OTP) via SMS are commonly used for verification. SMS Verification Credits are required to send these SMS messages through Salesforce's built-in verification service. Without these credits, SMS-based verification flows will fail.

Incorrect Options:

B. Email Verification Credits
Email verification is supported in Salesforce Identity without dedicated "credits." Email is sent using standard Salesforce email limits or External Identity license included email capabilities. There is no separate "Email Verification Credits" line item in Salesforce Identity pricing or architecture. This option does not exist as a required license.

C. Identity Connect Licenses
Identity Connect is used for Active Directory integration and provisioning between on-premises directories and Salesforce. It is irrelevant for pure cloud-based CIAM with email or phone as username. This license is for employee identity synchronization, not external consumer authentication.

Reference:

Salesforce Pricing Guide: "External Identity License – Includes SMS verification via credits"

Salesforce Help Article: "Set Up SMS Verification for External Users"

Trailhead: "Identity for Consumers (CIAM)" – Unit on "Verification Methods"

Explanation:

When you need to apply specific security constraints that differ from the global organizational defaults for a specific application, you utilize the Connected App OAuth policies. This allows you to exert fine-grained control over how that specific integration behaves.

Why this is the correct choice

Granular Control: Within the OAuth Policies section of a Connected App, administrators can configure IP Relaxation (which can be set to "Enforce IP restrictions" to require that the application only be accessed from specific IP ranges defined in the org) and Session Timeout values.

Scope: These settings override the organization-wide defaults, ensuring that the specific integration (the Connected App) adheres to the security posture required for the partner portal, even if other parts of the organization have more relaxed settings.

Why the other options are incorrect

Session Settings: These are organization-wide configurations (found in Setup). Modifying these would impact all users and all applications within your Salesforce org, not just the specific Connected App for the partner portal.

Login IP Ranges: While you can define Login IP ranges on a Profile level, this is a restrictive approach that applies to the user's entire session in Salesforce. It is not a configuration specific to a Connected App’s authentication flow.

Custom Permissions: These are used to grant access to specific features or buttons within your Salesforce implementation (e.g., "Can Edit Confidential Records"). They have no role in controlling IP restrictions or session timeout durations.

References
Salesforce Help: Manage OAuth Access Policies for a Connected App
Salesforce Help: Understanding Connected App Settings