Practice Free Identity-and-Access-Management-Architect Salesforce Certified Platform Identity and Access Management Architect (Plat-Arch-203) Exam Questions Answers With Explanation

The Identity Only license is designed for users who need Salesforce Identity services without broad CRM object access. Salesforce documentation positions it for scenarios where employees or other internal users need to authenticate with Salesforce credentials and access connected applications, but they do not require the full set of standard Salesforce business objects. That makes it a good fit for benefits portals, employee hubs, or third-party workforce apps that rely on Salesforce for identity rather than for CRM usage. External Identity is aimed at external audiences such as customers or partners, while Identity Connect is synchronization software rather than an end-user license. The licensing decision follows the user population and the scope of application access more than the authentication protocol itself. This is why option C is the best answer in Salesforce terms.

Salesforce’s secure MFA guidance is based on two independent factors, not simply any second code that can be sent to the user. Strong MFA methods include possession-based authenticators and standards-compliant mechanisms such as security keys, approved authenticator apps, and trusted third-party SSO solutions that themselves enforce strong MFA. Lightning Login is also treated as a passwordless, device-based secure approach in the Salesforce ecosystem. By contrast, SMS and email verification do not meet Salesforce’s general MFA requirement for secure user-interface logins in the same way. The architecture point is that Salesforce distinguishes between convenience verifications and strong authentication factors. For compliance-driven MFA, architects should choose the methods Salesforce classifies as high-assurance. This is why options A, B, D work together as the correct solution.

Salesforce connected-app user provisioning can be combined with internal approval so downstream accounts are created only after the right business authorization is complete. The connected app must have user provisioning enabled, and the target application must be represented as a connected app in Salesforce. To control timing, the approval process should be associated with the provisioning request object that participates in the provisioning lifecycle rather than with the generic User object. That allows the organization to hold or approve the provisioning action itself. This pattern is useful when HR or compliance wants a formal checkpoint before external accounts are created. The architecture separates identity eligibility from final outbound provisioning execution. This is why options B, C, D work together as the correct solution.

For an Experience Cloud site that uses Salesforce as the identity provider, the supported login experiences are the standard page types intended for authentication. Salesforce supports a Login Discovery page, which helps identify the user and route them appropriately, and an Embedded Login page, which allows the login experience to be embedded into a branded front-end. These are purpose-built for sign-in scenarios. By contrast, a generic Experience Builder content page or a Lightning Experience page is not the same thing as a supported login page type for the site’s authentication flow. The important distinction in Salesforce documentation is between pages designed for site content and pages designed to participate directly in the authentication journey. This is why options A, C work together as the correct solution.

If Salesforce is brokering identity from an enterprise SSO platform to downstream applications, then in its relationship with the enterprise SSO system Salesforce is acting as a service provider. It is consuming authentication from the enterprise identity source and then using that result to participate in further federation to third-party apps. That distinction matters because the same platform can be an SP upstream and an IdP downstream in the same overall architecture. Resource server and client-application labels do not describe the identity role Salesforce is playing in that specific trust relationship. The key point is directional trust: Salesforce receives the authentication from the enterprise SSO provider, so it is the service provider in that connection. This is why option A is the best answer in Salesforce terms.

Salesforce supports dynamic branding for Experience Cloud login journeys through the Experience ID parameter. The Experience ID tells Salesforce which branded experience to render, allowing a single identity implementation to serve multiple brands or sub-brands without building separate authentication stacks. This is more scalable than asking users to pick a brand after arrival or inventing custom parameters and branding logic outside the standard experience framework. It also works cleanly with OAuth and SAML-based sign-in patterns, which is why it is commonly recommended in multi-brand CIAM designs. When the requirement is to reliably present the correct branded Salesforce experience during login, the Experience ID is the built-in mechanism intended for that routing and presentation layer. This is why option A is the best answer in Salesforce terms.

When an account may be compromised, the first Salesforce-native source to review is Login History. It shows authentication attempts, source IP addresses, login status, browser and platform information, and the methods used to access the org. That makes it the most direct starting point for identifying suspicious access patterns or confirming when and how a user session was established. Setup Audit Trail tracks administrative configuration changes, not end-user sign-in behavior, and the user record itself doesn’t provide the same detailed authentication trail. In a forensic workflow, the early question is usually “did someone log in, from where, and by what method?” Login History is the fastest place to answer that inside Salesforce. This is why option B is the best answer in Salesforce terms.

Salesforce supports token revocation through the revoke token endpoint. When an external application logs the user out and the existing OAuth token must be invalidated immediately, the application should make the appropriate HTTP request to that revocation endpoint and include the current token. That explicitly tells Salesforce the token should no longer be accepted. Requesting a new refresh token or calling unrelated endpoints would not invalidate the existing authorization. Single Logout can help in federated browser journeys, but the requirement here is specifically about invalidating the OAuth token itself. The architecture distinction is important: session logout and token revocation are related but not identical operations, and Salesforce provides a dedicated endpoint for revocation. This is why option A is the best answer in Salesforce terms.

For real-time visibility into login events and other security-relevant user activity, Salesforce Event Monitoring is the purpose-built monitoring feature. Event Monitoring and Event Log Files give security and identity teams access to detailed telemetry about login behavior, session activity, API usage, and other actions that matter for threat detection and investigation. Profiles and encryption settings do not provide operational monitoring, and Data Loader is unrelated. The architectural distinction is between preventive controls and detective controls. Event Monitoring is a detective control: it helps the organization observe behavior, identify anomalies, and react quickly. When the requirement mentions unusual login patterns, security incidents, or real-time monitoring, Salesforce documentation points architects toward Event Monitoring rather than ordinary administrative setup screens. This is why option A is the best answer in Salesforce terms.

In Experience Cloud B2B patterns, a partner identity in Salesforce is represented by a User that is related to a Contact, which in turn belongs to an Account. Delegated administration for partners assumes that account-contact-user relationship because partner users operate within a business account structure. A contact by itself is not a login identity, and a contactless user is associated with different external identity patterns. A Person Account is generally a B2C model rather than the normal B2B partner representation. The architect should therefore provision both the contact and the user record. This is consistent with how Salesforce partner communities model business relationships, sharing, delegated administration, and partner account ownership. This is why option A is the best answer in Salesforce terms.

If an organization has multiple regional ADFS systems and wants one Salesforce org without buying an additional federation broker, Salesforce can be configured with multiple SAML SSO settings so users choose the appropriate identity provider at sign-in. That satisfies the “no additional application investment” constraint more directly than introducing a new central identity broker. Identity Connect is not the solution here because it focuses on AD user synchronization, not on federating multiple ADFS realms into Salesforce login. The architectural compromise is user choice at the login screen, but it keeps the design standards-based and avoids extra infrastructure. For a single-org deployment with multiple existing enterprise IdPs, exposing multiple SSO configurations is the practical native approach. This is why option B is the best answer in Salesforce terms.

Identity Connect can synchronize several Salesforce security constructs from Active Directory-driven administration, particularly the identity and authorization artifacts attached to users. Profiles and permission sets are directly relevant because they define user capabilities in Salesforce. Roles also matter because they shape record access and hierarchy behavior. Public groups can participate in permission design and assignment patterns as well. By contrast, sharing rules and permission set licenses are not the core mapping focus in the same way. The main architectural takeaway is that Identity Connect is about translating directory-based user management into Salesforce access structures, especially those that determine who a user is, what they can do, and where they sit in the org’s access model. This is why options B, D, E work together as the correct solution.

Salesforce Experience Cloud includes out-of-the-box branding options for login and registration experiences, and those can be extended through Experience Builder for related pages such as forgot-password and reset-password journeys. The standard site administration and branding controls can cover logos, colors, and certain visual treatments of the login page. Where the business wants branded password-management pages as well, Experience Builder is the supported way to build those experiences consistently. That is better than creating fully custom pages for everything unless the requirement truly goes beyond what the platform supports. The architecture point is to use the built-in branding framework first and extend through Experience Builder where branded identity pages are needed. This is why options A, D work together as the correct solution.

For a connected app to appear as a tile in the Salesforce App Launcher, two things generally matter: the app must be marked visible in the App Launcher, and the connected app configuration must include the required launch details such as the start URL or equivalent launch settings. High-assurance session requirements or OIDC scopes do not by themselves control whether the tile shows up. The absence of a launch target can keep the app from being presented meaningfully to users even when the connected app exists. From an architecture and administration perspective, discovery in the launcher depends on app-visibility settings plus a valid launch configuration. Without those, users can be entitled to the app and still not see it in the launcher. This is why options B, C work together as the correct solution.

When Salesforce already provides built-in authentication provider support for the social networks required by the business, the simplest architecture is to use those predefined authentication providers. That avoids building custom provider logic for well-known services such as Facebook and, in many exam scenarios, Twitter. The point of the predefined provider is to reduce custom work, accelerate setup, and stay within the Salesforce-supported social sign-in pattern. A custom provider would only be necessary when the external source is not supported through the standard templates or protocols available. The architecture principle is to use standard provider support first and reserve custom provider work for gaps. That keeps the implementation easier to manage and easier to troubleshoot. This is why option C is the best answer in Salesforce terms.

The requirements call for two distinct capabilities: federation for sign-in and standards-based lifecycle management for provisioning. In Salesforce terms, that means Salesforce should act as a SAML service provider for authentication while SCIM handles create, update, and deactivate operations from the central IAM system. Just-in-Time provisioning alone is not enough here because the requirement includes provisioning and deprovisioning triggered by user status changes in the central identity service, not just first-login user creation. Identity Connect is aimed at Active Directory synchronization and is not the general answer for cloud IAM-to-Salesforce lifecycle management. Pairing SAML for SSO with SCIM for provisioning is the clean standards-based architecture when identity governance happens outside Salesforce. This is why option C is the best answer in Salesforce terms.

Contactless users in Experience Cloud are tied to a narrower external identity model than full community users associated with contacts. That is the important architectural tradeoff. The feature can reduce overhead for certain external identity scenarios, but it also limits what license model and functionality are available. In practice, architects need to recognize that contactless users are associated with External Identity use cases rather than the richer Experience Cloud collaboration capabilities that depend on account-contact relationships. That is why the decision affects portal design, entitlement options, and downstream business processes. The right answer focuses on the license and capability limitation, not on speculative behavior about passwordless login or automatic contact creation during a later license change. This is why option C is the best answer in Salesforce terms.

When users report SSO login errors, Login History is the first Salesforce-native place to look for the failure details. It records authentication attempts, statuses, timestamps, source information, and failure reasons that help narrow down whether the problem lies in the identity provider, the assertion, or the Salesforce configuration. Setup Audit Trail is for admin changes, not runtime authentication troubleshooting, and exception email is not the primary way to debug SSO. The practical reason architects start with Login History is that it tells you what Salesforce actually received and how Salesforce evaluated it. That makes it a reliable first checkpoint during alumni portal, workforce SSO, or community login investigations. This is why option B is the best answer in Salesforce terms.

If the organization wants users to sign in only through SSO and not by entering credentials at login.salesforce.com, two standard controls are used together. My Domain can be configured to prevent login from the generic Salesforce login page, forcing users onto the org-specific authentication entry point. In addition, the user can be marked as “Is Single Sign-On Enabled,” which prevents password-based Salesforce login for that user. Those two controls reinforce each other: one redirects the entry point, and the other removes the fallback credential path. Delegated authentication is not required just to enforce SSO, and simply enabling SSO never means Salesforce credentials stop working automatically. The architecture goal is to remove non-SSO login paths deliberately. This is why options A, D work together as the correct solution.

When Salesforce is acting as an identity provider and the goal is to make a third-party application available from within Salesforce, two standard tools work together: a connected app to define trust and single sign-on behavior, and the App Launcher to give users a discoverable entry point. The connected app handles the identity relationship and protocol settings, while the launcher exposes the application from the Salesforce UI. Delegated Authentication and external data sources solve different problems and don’t provide the same app-launch experience. In Salesforce Identity architecture, this combination is common because it aligns governance and usability: the app is centrally configured through a connected app and then delivered to users as part of their Salesforce app catalog. This is why options A, C work together as the correct solution.

To integrate an external application with Salesforce by using OAuth 2.0, the architect generally needs a connected app and the right OAuth scopes. The connected app defines the trust relationship and client identity, while the scopes specify what access the app can request, such as API access or refresh-token capability. Authentication providers solve inbound sign-in from an external identity source, which is a different use case. A vague “OAuth token” is the result of the configuration, not the administrative construct you build first. The important architecture principle is that OAuth access to Salesforce starts with a connected app. Without that, the external order-fulfillment application has no registered client identity or scope model for calling Salesforce APIs. This is why option D is the best answer in Salesforce terms.

The OAuth 2.0 Asset Token Flow is Salesforce’s purpose-built answer for connected devices and IoT-style integrations. It is designed for assets that need to act on behalf of a physical device or asset record rather than a human user. That makes it the correct fit for sensors, GPS trackers, or smart devices that must securely post telemetry or create service actions in Salesforce. User-agent, web-server, or username-password flows are built around user identity or generic application access, not around a registered device/asset relationship. The architectural advantage of the asset token model is that it ties the authorization context back to the asset, which is exactly what you want when the platform must know which device generated the event or maintenance alert. This is why option D is the best answer in Salesforce terms.

My Domain is a prerequisite for many modern Salesforce identity capabilities because it gives the org a unique and predictable login domain. In multi-org environments, that matters when users click record links from emails and must be routed into the correct instance and authentication path. Without My Domain, identity routing and branded login behavior become harder to control, especially when multiple orgs and external identity providers are involved. MFA and Identity Provider settings address other aspects of security, but they do not provide the unique domain-level entry point required here. The architectural role of My Domain is both technical and user-facing: it standardizes the login endpoint and helps ensure that generated links take users to the proper org context. This is why option B is the best answer in Salesforce terms.

When users report SSO login errors, Login History is the first Salesforce-native place to look for the failure details. It records authentication attempts, statuses, timestamps, source information, and failure reasons that help narrow down whether the problem lies in the identity provider, the assertion, or the Salesforce configuration. Setup Audit Trail is for admin changes, not runtime authentication troubleshooting, and exception email is not the primary way to debug SSO. The practical reason architects start with Login History is that it tells you what Salesforce actually received and how Salesforce evaluated it. That makes it a reliable first checkpoint during alumni portal, workforce SSO, or community login investigations. This is why option C is the best answer in Salesforce terms.

Salesforce connected-app user provisioning can be combined with internal approval so downstream accounts are created only after the right business authorization is complete. The connected app must have user provisioning enabled, and the target application must be represented as a connected app in Salesforce. To control timing, the approval process should be associated with the provisioning request object that participates in the provisioning lifecycle rather than with the generic User object. That allows the organization to hold or approve the provisioning action itself. This pattern is useful when HR or compliance wants a formal checkpoint before external accounts are created. The architecture separates identity eligibility from final outbound provisioning execution. This is why options C, D, E work together as the correct solution.

If the external wellness application needs user attributes returned in an ID token, the mechanism must be OpenID Connect. OIDC extends OAuth with identity semantics and introduces the ID token as the standard carrier for authenticated user information. A plain user-agent or web-server OAuth flow by itself does not guarantee an ID token, because OAuth alone is about authorization, not identity. JWT bearer flow is also for noninteractive token exchange, not end-user identity assertion to a relying party. The architecture requirement points directly to the artifact being requested: an ID token. In Salesforce identity design, once the requirement says “return attributes in an ID token,” the answer is to use OpenID Connect. This is why option B is the best answer in Salesforce terms.

Once SAML SSO is already configured, enabling Just-in-Time provisioning in Salesforce is done on the SAML Single Sign-On setting itself. The architect turns on JIT user provisioning, selects the provisioning type, and supplies the SAML JIT handler if custom logic is needed. That is the expected configuration path because JIT is part of the federation handshake, not a sharing model or permission-set feature. Creating a random Apex class without wiring it into the SAML setting would not enable JIT on its own. The architectural distinction is that JIT rides inside the SAML login process. Therefore it must be enabled and configured where Salesforce processes the incoming assertion. This is why option A is the best answer in Salesforce terms.