Free Practice Questions for Salesforce Identity-and-Access-Management-Architect Exam

The Identity Only license is designed for users who need Salesforce Identity services without broad CRM object access. Salesforce documentation positions it for scenarios where employees or other internal users need to authenticate with Salesforce credentials and access connected applications, but they do not require the full set of standard Salesforce business objects. That makes it a good fit for benefits portals, employee hubs, or third-party workforce apps that rely on Salesforce for identity rather than for CRM usage. External Identity is aimed at external audiences such as customers or partners, while Identity Connect is synchronization software rather than an end-user license. The licensing decision follows the user population and the scope of application access more than the authentication protocol itself. This is why option C is the best answer in Salesforce terms.

For fine-grained delegated access and long-lived sessions, the Authorization Code flow is the strongest mainstream OAuth choice. It supports user consent, server-side token exchange, and refresh-token issuance in the patterns Salesforce documents for confidential applications. Client Credentials is for app-to-app integration without a user context, and Implicit/User-Agent is less suitable for strong control and durable token management. Username-password is a special-case flow that trades off security and user experience. The reason this matters architecturally is that the authorization code pattern separates user authentication from token exchange and allows the client to keep secrets securely on the server side. That is why it remains the preferred model for robust delegated access to protected Salesforce resources. This is why option B is the best answer in Salesforce terms.

When a single identity design must support very high external login volumes, performance becomes part of the architecture, not just feature selection. Salesforce Experience Cloud and identity features can support large-scale CIAM scenarios, but official guidance encourages validating expected login peaks and performance assumptions with Salesforce for unusually high throughput requirements. That is especially important when the solution spans communities and commerce experiences and expects more than a thousand logins per minute. The question is not just whether the platform supports federation, Person Accounts, or an external identity provider; it is whether the design has been reviewed for operational scale. Confirming performance considerations with Salesforce is therefore the prudent architectural step before finalizing the rollout model. This is why option B is the best answer in Salesforce terms.

If AWS holds the workforce credentials and Salesforce must trust that external identity for authentication, OpenID Connect is the natural standards-based fit when AWS can operate as the identity provider. Salesforce can consume an OIDC provider for authentication and authorization scenarios in a way that avoids building a custom authentication server unnecessarily. A connected app by itself does not make AWS the identity source, and a custom external auth provider is only needed when there is no suitable standard protocol support. The architecture requirement is to let Salesforce trust the external identity system while preserving standards and minimizing custom code. Configuring AWS as an OpenID Connect provider satisfies that need cleanly. This is why option D is the best answer in Salesforce terms.

For a connected app to appear as a tile in the Salesforce App Launcher, two things generally matter: the app must be marked visible in the App Launcher, and the connected app configuration must include the required launch details such as the start URL or equivalent launch settings. High-assurance session requirements or OIDC scopes do not by themselves control whether the tile shows up. The absence of a launch target can keep the app from being presented meaningfully to users even when the connected app exists. From an architecture and administration perspective, discovery in the launcher depends on app-visibility settings plus a valid launch configuration. Without those, users can be entitled to the app and still not see it in the launcher. This is why options B, C work together as the correct solution.

The OAuth 2.0 web server flow follows the authorization-code pattern documented by Salesforce. First, the client requests an authorization code. The user then authenticates and authorizes access. Salesforce returns the authorization code to the client, after which the client exchanges that code at the token endpoint. Salesforce finally issues the access token. The reason this sequence matters is security: the code is a short-lived intermediary credential that is exchanged server to server, rather than exposing the access token directly in the browser. That is why the web server flow is recommended for confidential applications that can protect a client secret. Any sequence that skips the code exchange or grants the token before authorization is not the correct Salesforce authorization-code flow. This is why option A is the best answer in Salesforce terms.

For social sign-on into Experience Cloud, Salesforce relies on authentication providers to establish trust with each social identity source and on a registration handler to create or update the Salesforce user and related records. That pattern applies whether the provider is Facebook, LinkedIn, Twitter, or a standards-based OpenID Connect provider. Process Builder or Flow does not replace the registration handler in this identity handshake. The registration handler is where Salesforce decides how to map the incoming identity to an existing user, when to create a new one, and how to update profile information over time. From an architecture standpoint, authentication providers solve the external trust, and the registration handler solves the user lifecycle inside Salesforce. This is why options B, C work together as the correct solution.

OAuth scopes are the mechanism Salesforce uses to define what an external application can request access to. If the requirement is to control access to protected resources in a flexible and granular way, custom scopes are the right enhancement. They let the architect express purpose-specific access boundaries beyond coarse app approval alone. Admin-preapproved access and permission sets govern who can use the connected app, but scopes govern what the token is intended to do. External objects and data classification don’t solve the token-authorization problem. The design principle is least privilege at the API boundary. By carefully defining and assigning scopes, the organization can limit access in a way that is meaningful to both the application and the resource server. This is why option B is the best answer in Salesforce terms.

When Salesforce is acting as an identity provider and the goal is to make a third-party application available from within Salesforce, two standard tools work together: a connected app to define trust and single sign-on behavior, and the App Launcher to give users a discoverable entry point. The connected app handles the identity relationship and protocol settings, while the launcher exposes the application from the Salesforce UI. Delegated Authentication and external data sources solve different problems and don’t provide the same app-launch experience. In Salesforce Identity architecture, this combination is common because it aligns governance and usability: the app is centrally configured through a connected app and then delivered to users as part of their Salesforce app catalog. This is why options A, C work together as the correct solution.

Salesforce documents token introspection as the standards-based way to ask the authorization server about the current state of an OAuth token after it has been issued. That is exactly what this scenario requires: checking whether an OpenID Connect access token is still active, expired, or revoked. The discovery document only advertises endpoints and capabilities; it does not return runtime token status for a specific token. Likewise, enabling CORS on the token endpoint affects browser access patterns, not token validation, and creating a custom scope changes authorization boundaries rather than token-state lookup. In other words, when the requirement is “retrieve token status,” token introspection is the platform feature designed for that purpose. This is why option A is the best answer in Salesforce terms.