Identity-and-Access-Management-Architect Exam Questions - Online Test


Identity-and-Access-Management-Architect Premium VCE File

Learn More 100% Pass Guarantee - Dumps Verified - Instant Download
150 Lectures, 20 Hours

certleader.com

Your success in Salesforce Identity-and-Access-Management-Architect is our sole target and we develop all our Identity-and-Access-Management-Architect braindumps in a way that facilitates the attainment of this target. Not only is our Identity-and-Access-Management-Architect study material the best you can find, it is also the most detailed and the most updated. Identity-and-Access-Management-Architect Practice Exams for Salesforce Identity-and-Access-Management-Architect are written to the highest standards of technical accuracy.

Online Identity-and-Access-Management-Architect free questions and answers of New Version:

NEW QUESTION 1
Universal Containers allows employees to use a mobile device to access Salesforce for daily operations using a hybrid mobile app. This app uses Mobile software development kits (SDK), leverages refresh token to regenerate access token when required and is distributed as a private app.
The chief security officer is rolling out an org wide compliance policy to enforce re-verification of devices if an employee has not logged in from that device in the last week.
Which connected app setting should be leveraged to comply with this policy change?

  • A. Scope - Deny refresh_token scope for this connected app.
  • B. Refresh Token Policy - Expire the refresh token if it has not been used for 7 days.
  • C. Session Policy - Set timeout value of the connected app to 7 days.
  • D. Permitted User - Ask admins to maintain a list of users who are permitted based on last login date.

Answer: B

Explanation:
Refresh Token Policy - Expire the refresh token if it has not been used for 7 days is the connected app setting that should be leveraged to comply with the policy change. This setting ensures that users have to re-verify their devices if they have not logged in from that device in the last week. The other settings are either not relevant or not effective for this scenario. References: Connected App Basics, OAuth 2.0 Refresh Token Flow

NEW QUESTION 2
Northern Trail Outfitters (NTO) wants to improve its engagement with existing customers to boost customer loyalty. To get a better understanding of its customers, NTO establishes a single customer view including their buying behaviors, channel preferences and purchasing history. All of this information exists but is spread across different systems and formats.
NTO has decided to use Salesforce as the platform to build a 360 degree view. The company already uses Microsoft Active Directory (AD) to manage its users and company assets.
What should an Identity Architect do to provision, deprovision and authenticate users?

  • A. Salesforce Identity is not needed since NTO uses Microsoft AD.
  • B. Salesforce Identity can be included but NTO will be required to build a custom integration with Microsoft AD.
  • C. Salesforce Identity is included in the Salesforce licenses so it does not need to be considered separately.
  • D. A Salesforce Identity can be included but NTO will require Identity Connect.

Answer: D

Explanation:
Identity Connect is a Salesforce product that integrates Microsoft Active Directory with Salesforce user records. It allows provisioning, deprovisioning, and authentication of users based on AD data. The other options are either incorrect or irrelevant for this use case. References: Get to Know Identity Connect, Identit
Connect

NEW QUESTION 3
A company wants to provide its employees with a custom mobile app that accesses Salesforce. Users are required to download the internal native IOS mobile app from corporate intranet on their mobile device. The app allows flexibility to access other non-Salesforce internal applications once users authenticate with Salesforce. The apps self-authorize, and users are permitted to use the apps once they have logged into Salesforce.
How should an identity architect meet the above requirements with the privately distributed mobile app?

  • A. Use connected app with OAuth and Security Assertion Markup Language (SAML) to access other non-Salesforce internal apps.
  • B. Configure Mobile App settings in connected app and Salesforce as identity provider for non-Salesforce internal apps.
  • C. Use Salesforce as an identity provider (IdP) to access the mobile app and use the external IdP for other non-Salesforce internal apps.
  • D. Create a new hybrid mobile app and use the connected app with OAuth to authenticate users for Salesforce and non-Salesforce internal apps.

Answer: B

Explanation:
Configuring Mobile App settings in connected app and Salesforce as identity provider for non-Salesforce internal apps is the best way to meet the requirements with the privately distributed mobile app. The Mobile App settings allow users to download the app from a private URL and use it with Salesforce credentials. The identity provider settings allow users to access other internal apps with SSO using Salesforce as the IdP. The other options are either not feasible or not optimal for this use case. References: Mobile App Settings, Single Sign-On for Desktop and Mobile Applications using SAML and OAuth

NEW QUESTION 4
Universal containers (UC) has implemented a multi-org strategy and would like to centralize the management of their salesforce user profiles. What should the architect recommend to allow salesforce profiles to be managed from a central system of record?

  • A. Implement jit provisioning on the SAML IDP that will pass the profile id in each assertion.
  • B. Create an apex scheduled job in one org that will synchronize the other orgs profile.
  • C. Implement Delegated Authentication that will update the user profiles as necessary.
  • D. Implement an Oauthjwt flow to pass the profile credentials between systems.

Answer: A

Explanation:
To allow Salesforce profiles to be managed from a central system of record, the architect should recommend to implement JIT provisioning on the SAML IDP that will pass the profile ID in each assertion. JIT provisioning is a process that creates or updates user accounts on Salesforce based on information sent by an external identity provider (IDP) during SAML authentication. By passing the profile ID in each assertion, the IDP can control which profile is assigned to each user. Option B is not a good choice because creating an Apex scheduled job in one org that will synchronize the other orgs profile may not be scalable, reliable, or secure. Option C is not a good choice because implementing Delegated Authentication that will update the user profiles as necessary may not be feasible, as Delegated Authentication only verifies the user’s credentials against an external service, but does not pass any other information to Salesforce. Option D is not a good choice because implementing an OAuth JWT flow to pass the profile credentials between systems may not be suitable, as OAuth JWT flow is used for server-to-server integration, not for user authentication.
References: Authorize Apps with OAuth, [Identity Management Concepts], [User Authentication]

NEW QUESTION 5
Universal Containers (UC) would like to enable self-registration for their Salesforce Partner Community Users. UC wants to capture some custom data elements from the partner user, and based on these data elements, wants to assign the appropriate Profile and Account values.
Which two actions should the Architect recommend to UC1 Choose 2 answers

  • A. Configure Registration for Communities to use a custom Visualforce Page.
  • B. Modify the SelfRegistration trigger to assign Profile and Account.
  • C. Modify the CommunitiesSelfRegController to assign the Profile and Account.
  • D. Configure Registration for Communities to use a custom Apex Controller.

Answer: CD

Explanation:
To enable self-registration for partner community users, UC should modify the CommunitiesSelfRegController class to assign the Profile and Account values based on the custom data elements captured from the partner user. UC should also configure Registration for Communities to use a custom Apex controller that extends the CommunitiesSelfRegController class and overrides the default registration logic3.
References:
Identity-and-Access-Management-Architect dumps exhibit Customize Self-Registration

NEW QUESTION 6
Northern Trail Outfitters (NTO) has a requirement to ensure all user logins include a single multi-factor authentication (MFA) prompt. Currently, users are allowed the choice to login with a username and password or via single sign-on against NTO's corporate Identity Provider, which includes built-in MFA.
Which configuration will meet this requirement?

  • A. Create and assign a permission set to all employees that includes "MFA for User Interface Logins."
  • B. Create a custom login flow that enforces MFA and assign it to a permission se
  • C. Then assign the permission set to all employees.
  • D. Enable "MFA for User Interface Logins" for your organization from Setup -> Identity Verification.
  • E. For all employee profiles, set the Session Level Required at Login to High Assurance and add the corporate identity provider to the High Assurance list for the org's Session Security Levels.

Answer: C

Explanation:
Enabling “MFA for User Interface Logins” for the organization is the simplest way to ensure that all user logins include a single MFA prompt. This setting applies to both direct logins and SSO logins, and overrides any other MFA settings at the profile or permission set level. References: Enable MFA for Direct User Logins, Everything You Need to Know About MFA Auto-Enablement and Enforcement

NEW QUESTION 7
Which two security risks can be mitigated by enabling Two-Factor Authentication (2FA) in Salesforce? Choose 2 answers

  • A. Users leaving laptops unattended and not logging out of Salesforce.
  • B. Users accessing Salesforce from a public Wi-Fi access point.
  • C. Users choosing passwords that are the same as their Facebook password.
  • D. Users creating simple-to-guess password reset questions.

Answer: BC

Explanation:
Enabling Two-Factor Authentication (2FA) in Salesforce can mitigate the security risks of users accessing Salesforce from a public Wi-Fi access point or choosing passwords that are the same as their Facebook password. 2FA is an additional layer of protection beyond your password that requires users to verify their identity with another factor, such as a mobile app, a security key, or a verification code. This can prevent unauthorized access even if the user’s password is compromised or guessed by a malicious actor. The other options are not directly related to 2FA, but rather to user behavior or password policies.

NEW QUESTION 8
Universal Containers wants to implement Single Sign-on for a Salesforce org using an external Identity Provider and corporate identity store.
What type of authentication flow is required to support deep linking'

  • A. Web Server OAuth SSO flow
  • B. Service-Provider-Initiated SSO
  • C. Identity-Provider-initiated SSO
  • D. StartURL on Identity Provider

Answer: B

Explanation:
Single sign-on (SSO) is an authentication method that enables users to access multiple applications with one login and one set of credentials4. There are two types of SSO flows that can be used with Salesforce as the service provider (SP) and an external identity provider (IdP)5:
Identity-and-Access-Management-Architect dumps exhibit Service-provider-initiated SSO: The user requests a resource from the SP, such as a Salesforce URL. The SP redirects the user to the IdP for authentication. The IdP authenticates the user and sends a SAML response to the SP. The SP validates the SAML response and grants access to the user5. This type of SSO flow supports deep linking, which means that the user can access a specific page within Salesforce without logging in again6.
Identity-and-Access-Management-Architect dumps exhibit Identity-provider-initiated SSO: The user logs in to the IdP and selects an app from a list of available apps. The IdP sends a SAML response to the SP. The SP validates the SAML response and grants access to the user5. This type of SSO flow does not support deep linking, which means that the user can only access the default landing page of Salesforce6.
References:
Identity-and-Access-Management-Architect dumps exhibit Single Sign-On
Identity-and-Access-Management-Architect dumps exhibit SAML SSO Flows
Identity-and-Access-Management-Architect dumps exhibit Deep Linking

NEW QUESTION 9
When designing a multi-branded Customer Identity and Access Management solution on the Salesforce Platform, how should an identity architect ensure a specific brand experience in Salesforce is presented?

  • A. The Experience ID, which can be included in OAuth/Open ID flows and Security Assertion Markup Language (SAML) flows as a URL parameter.
  • B. Provide a brand picker that the end user can use to select its sub-brand when they arrive on salesforce.
  • C. Add a custom parameter to the service provider's OAuth/SAML call and implement logic on its login page to apply branding based on the parameters value.
  • D. The Audience ID, which can be set in a shared cookie.

Answer: A

Explanation:
Configuring an authentication provider to delegate authentication to the LDAP directory ensures that users can only log in to Salesforce if they are active in the LDAP directory. This prevents terminated employees from accessing Salesforce with their old credentials. References: Authentication Providers, Delegated Authentication Single Sign-On

NEW QUESTION 10
A company with 15,000 employees is using Salesforce and would like to take the necessary steps to highlight or curb fraudulent activity.
Which tool should be used to track login data, such as the average number of logins, who logged in more than the average number of times and who logged in during non-business hours?

  • A. Login Forensics
  • B. Login Report
  • C. Login Inspector
  • D. Login History

Answer: A

Explanation:
To track login data and highlight or curb fraudulent activity, the identity architect should use Login Forensics. Login Forensics is a tool that analyzes login history data and provides insights into user login patterns, such as average number of logins, login outliers, login anomalies, and login risk scores. Login Forensics can help identify suspicious or malicious login attempts and take preventive actions. References: Login Forensics, Login Forensics Implementation Guide

NEW QUESTION 11
A manufacturer wants to provide registration for an Internet of Things (IoT) device with limited display input or capabilities.
Which Salesforce OAuth authorization flow should be used?

  • A. OAuth 2.0 JWT Bearer How
  • B. OAuth 2.0 Device Flow
  • C. OAuth 2.0 User-Agent Flow
  • D. OAuth 2.0 Asset Token Flow

Answer: B

Explanation:
The OAuth 2.0 Device Flow is a type of authorization flow that allows users to register an IoT device with limited display input or capabilities, such as a smart TV, a printer, or a smart speaker1. The device flow works as follows1:
Identity-and-Access-Management-Architect dumps exhibit The device displays or reads out a verification code and a verification URL to the user.
Identity-and-Access-Management-Architect dumps exhibit The user visits the verification URL on another device, such as a smartphone or a laptop, and enters the verification code.
Identity-and-Access-Management-Architect dumps exhibit The user logs in to Salesforce and approves the device.
Identity-and-Access-Management-Architect dumps exhibit The device polls Salesforce for an access token using the verification code.
Identity-and-Access-Management-Architect dumps exhibit Salesforce returns an access token to the device, which can then access Salesforce APIs.
References:
Identity-and-Access-Management-Architect dumps exhibit OAuth 2.0 Device Flow

NEW QUESTION 12
Universal Containers (UC) implemented SSO to a third-party system for their Salesforce users to access the App Launcher. UC enabled “User Provisioning” on the Connected App so that changes to user accounts can be synched between Salesforce and the third-party system. However, UC quickly notices that changes to user roles in Salesforce are not getting synched to the third-party system. What is the most likely reason for this behavior?

  • A. User Provisioning for Connected Apps does not support role sync.
  • B. Required operation(s) was not mapped in User Provisioning Settings.
  • C. The Approval queue for User Provisioning Requests is unmonitored.
  • D. Salesforce roles have more than three levels in the role hierarchy.

Answer: B

Explanation:
User Provisioning for Connected Apps supports role sync, but the required operation(s) must be mapped in User Provisioning Settings. According to the Salesforce documentation1, “To provision roles, map the Role operation to a field in the connected app. The field must contain the role’s unique name.” Therefore, option B is the correct answer.
References: Salesforce Documentation

NEW QUESTION 13
A Salesforce customer is implementing Sales Cloud and a custom pricing application for its call center agents. An Enterprise single sign-on solution is used to authenticate and sign-in users to all applications. The customer has the following requirements:
* 1. The development team has decided to use a Canvas app to expose the pricing application to agents.
* 2. Agents should be able to access the Canvas app without needing to log in to the pricing application.
Which two options should the identity architect consider to provide support for the Canvas app to initiate login for users?
Choose 2 answers

  • A. Select "Enable as a Canvas Personal App" in the connected app settings.
  • B. Enable OAuth settings in the connected app with required OAuth scopes for the pricing application.
  • C. Configure the Canvas app as a connected app and set Admin-approved users as pre-authorized.
  • D. Enable SAML in the connected app and Security Assertion Markup Language (SAML) Initiation Method as Service Provider Initiated.

Answer: CD

Explanation:
To allow agents to access the Canvas app without needing to log in to the pricing application, the identity architect should consider two options:
Identity-and-Access-Management-Architect dumps exhibit Configure the Canvas app as a connected app and set Admin-approved users as pre-authorized. A connected app is a framework that enables an external application to integrate with Salesforce using APIs and standard protocols. A Canvas app is a type of connected app that allows an external application to be embedded within Salesforce. By setting Admin-approved users as pre-authorized, the identity architect can control which users can access the Canvas app by assigning profiles or permission sets to the connected app.
Identity-and-Access-Management-Architect dumps exhibit Enable SAML in the connected app and Security Assertion Markup Language (SAML) Initiation Method as Service Provider Initiated. SAML is a protocol that allows users to authenticate and authorize with an external identity provider and access Salesforce resources. By enabling SAML in the connected app, the identity architect can use Salesforce as a service provider (SP) and the pricing application as an identity provider (IdP) for single sign-on (SSO). By setting SAML Initiation Method as Service Provider Initiated, the identity architect can initiate the SSO process from Salesforce and send a SAML request to the pricing application. References: Connected Apps, Canvas Apps, SAML Single Sign-On Settings

NEW QUESTION 14
The CMO of an advertising company has invited an Identity and Access Management (IAM) specialist to discuss Salesforce out-of-box capabilities for configuring the company*s login and registration experience on Salesforce Experience Cloud.
The CMO is looking to brand the login page with the company's logo, background color, login button color, and dynamic right-frame from an external URL.
Which two solutions should the IAM specialist recommend? Choose 2 answers

  • A. Use Experience Builder to build branded Reset and Forgot Password pages.
  • B. Build custom pages for branding requirements in Experience Cloud.
  • C. Build custom site pages for reset and forgot password features.
  • D. Login & Registration pages can be branded in the Community Administration settings.

Answer: AD

Explanation:
Experience Builder and Community Administration settings are the tools that allow branding the login and registration pages in Experience Cloud. Custom pages are not necessary for this use case.
References: Architect Journey: Identity and Access Management Trailmix - Trailhead

NEW QUESTION 15
Which two roles of the systems are involved in an environment where salesforce users are enabled to access Google Apps from within salesforce through App launcher and connected App set up? Choose 2 answers

  • A. Google is the identity provider
  • B. Salesforce is the identity provider
  • C. Google is the service provider
  • D. Salesforce is the service provider

Answer: BC

Explanation:
In an environment where Salesforce users are enabled to access Google Apps from within Salesforce through App Launcher and Connected App setup, Google is the service provider and Salesforce is the identity provider. A service provider is an application that provides a service to users and relies on an identity provider for authentication3. A connected app is a service provider that integrates an application with Salesforce using APIs4. An identity provider is an application that authenticates users and provides information about them to service providers3. The App Launcher is a feature that allows users to access Salesforce, connected, and on-premises apps from one location5. In this scenario, Google Apps are connected apps that provide services to Salesforce users, such as Gmail, Google Drive, and Google Calendar. Salesforce is the identity provider that authenticates users and allows them to access Google Apps with their Salesforce credentials using single sign-on (SSO)6.
References: Identity Provider Overview, Connected Apps Overview, App Launcher, Single Sign-On for Desktop and Mobile Applications using SAML and OAuth

NEW QUESTION 16
Universal Container's (UC) is using Salesforce Experience Cloud site for its container wholesale business. The identity architect wants to an authentication provider for the new site.
Which two options should be utilized in creating an authentication provider? Choose 2 answers

  • A. A custom registration handier can be set.
  • B. A custom error URL can be set.
  • C. The default login user can be set.
  • D. The default authentication provider certificate can be set.

Answer: AB

Explanation:
An authentication provider is a configuration that allows users to log in to Salesforce using an external identity provider, such as Facebook, Google, or a custom one. When creating an authentication provider, two options that can be utilized are:
Identity-and-Access-Management-Architect dumps exhibit A custom registration handler, which is a class that implements the Auth.RegistrationHandler interface and defines how to create or update users in Salesforce based on the information from the external identity provider.
Identity-and-Access-Management-Architect dumps exhibit A custom error URL, which is a URL that users are redirected to when an error occurs during the authentication process. References: Authentication Providers, Create an Authentication Provider

NEW QUESTION 17
......

P.S. Easily pass Identity-and-Access-Management-Architect Exam with 246 Q&As DumpSolutions.com Dumps & pdf Version, Welcome to Download the Newest DumpSolutions.com Identity-and-Access-Management-Architect Dumps: https://www.dumpsolutions.com/Identity-and-Access-Management-Architect-dumps/ (246 New Questions)