Salesforce Salesforce Certifications IDENTITY-AND-ACCESS-MANAGEMENT-ARCHITECT Questions & Answers

• Question 51:

  Universal Containers (UC) uses Active Directory (AD) as their identity store for employees and must continue to do so for network access. UC is undergoing a major transformation program and moving all of their enterprise applications to cloud platforms including Salesforct, Workday, and SAP HANA. UC needs to implement an SSO solution for accessing all of the third-party cloud applications and the CIO is inclined to use Salesforce for all of their identity and access management needs.

  Which two Salesforce license types does UC need for its employees' Choose 2 answers

  A. Company Community and Identity licenses

  B. Identity and Identity Connect licenses

  C. Chatter Only and Identity licenses

  D. Salesforce and Identity Connect licenses

  Correct Answer: BD

• Question 52:

  Universal Containers (UC) has built a custom token-based Two-factor authentication (2FA) system for their existing on-premise applications. They are now implementing Salesforce and would like to enable a Two-factor login process for it, as well. What is the recommended solution as Architect should consider?

  A. Use the custom 2FA system for on-premise applications and native 2FA for Salesforce.

  B. Replace the custom 2FA system with an AppExchange App that supports on premise application and salesforce.

  C. Use Custom Login Flows to connect to the existing custom 2FA system for use in Salesforce.

  D. Replace the custom 2FA system with Salesforce 2FA for on-premise applications and Salesforce.

  Correct Answer: D

• Question 53:

  Northern Trail Outfitters (NTO) has a requirement to ensure all user logins include a single multi-factor authentication (MFA) prompt. Currently, users are allowed the choice to login with a username and password or via single sign-on against NTO's corporate Identity Provider, which includes built-in MFA.

  Which configuration will meet this requirement?

  A. Create and assign a permission set to all employees that includes "MFA for User Interface Logins."

  B. Create a custom login flow that enforces MFA and assign it to a permission set. Then assign the permission set to all employees.

  C. Enable "MFA for User Interface Logins" for your organization from Setup -> Identity Verification.

  D. For all employee profiles, set the Session Level Required at Login to High Assurance and add the corporate identity provider to the High Assurance list for the org's Session Security Levels.

  Correct Answer: C

• Question 54:

  An identity architect is implementing a mobile-first Consumer Identity Access Management (CIAM) for external users. User authentication is the only requirement. The users email or mobile phone number should be supported as a username.

  Which two licenses are needed to meet this requirement?

  Choose 2 answers

  A. External Identity Licenses

  B. Identity Connect Licenses

  C. Email Verification Credits

  D. SMS verification Credits

  Correct Answer: AD

• Question 55:

  An organization has a central cloud-based Identity and Access Management (IAM) Service for authentication and user management, which must be utilized by all applications as follows:

  1 - Change of a user status in the central IAM Service triggers provisioning or deprovisioining in the integrated cloud applications.

  2 - Security Assertion Markup Language single sign-on (SSO) is used to facilitate access for users authenticated at identity provider (Central IAM Service).

  

  Which approach should an IAM architect implement on Salesforce Sales Cloud to meet the requirements?

  A. A Configure Salesforce as a SAML Service Provider, and enable SCIM (System for Cross-Domain Identity Management) for provisioning and deprovisioning of users.

  B. Configure Salesforce as a SAML service provider, and enable Just-in Time (JIT) provisioning and deprovisioning of users.

  C. Configure central IAM Service as an authentication provider and extend registration handler to manage provisioning and deprovisioning of users.

  D. Deploy Identity Connect component and set up automated provisioning and deprovisioning of users, as well as SAML-based SSO.

  Correct Answer: A

• Question 56:

  Universal Containers (UC) has an existing Salesforce org configured for SP-Initiated SAML SSO with their Idp. A second Salesforce org is being introduced into the environment and the IT team would like to ensure they can use the same Idp for new org. What action should the IT team take while implementing the second org?

  A. Use the same SAML Identity location as the first org.

  B. Use a different Entity ID than the first org.

  C. Use the same request bindings as the first org.

  D. Use the Salesforce Username as the SAML Identity Type.

  Correct Answer: B

• Question 57:

  Northern Trail Outfitters want to allow its consumer to self-register on it business-to- consumer (B2C) portal that is built on Experience Cloud. The identity architect has recommended to use Person Accounts.

  Which three steps need to be configured to enable self-registration using person accounts?

  Choose 3 answers

  A. Enable access to person and business account record types under Public Access Settings.

  B. Contact Salesforce Support to enable business accounts.

  C. Under Login and Registration settings, ensure that the default account field is empty.

  D. Contact Salesforce Support to enable person accounts.

  E. Set organization-wide default sharing for Contact to Public Read Only.

  Correct Answer: ACD

• Question 58:

  Universal Containers (UC) is implementing Salesforce and would like to establish SAML SSO for its users to log in. UC stores its corporate user identities in a Custom Database. The UC IT Manager has heard good things about Salesforce Identity Connect as an Idp, and would like to understand what limitations they may face if they decided to use Identity Connect in their current environment. What limitation Should an Architect inform the IT Manager about?

  A. Identity Connect will not support user provisioning in UC's current environment.

  B. Identity Connect will only support Idp-initiated SAML flows in UC's current environment.

  C. Identity Connect will only support SP-initiated SAML flows in UC's current environment.

  D. Identity connect is not compatible with UC's current identity environment.

  Correct Answer: A

• Question 59:

  Universal Containers (UC) has a custom, internal-only, mobile billing application for users who are commonly out of the office. The app is configured as a connected App in Salesforce. Due to the nature of this app, UC would like to take the appropriate measures to properly secure access to the app. Which two are recommendations to make the UC? Choose 2 answers

  A. Disallow the use of Single Sign-on for any users of the mobile app.

  B. Require High Assurance sessions in order to use the Connected App.

  C. Set Login IP Ranges to the internal network for all of the app users Profiles.

  D. Use Google Authenticator as an additional part of the login process

  Correct Answer: BD

• Question 60:

  A company with 15,000 employees is using Salesforce and would like to take the necessary steps to highlight or curb fraudulent activity.

  Which tool should be used to track login data, such as the average number of logins, who logged in more than the average number of times and who logged in during non-business hours?

  A. Login Forensics

  B. Login Report

  C. Login Inspector

  D. Login History

  Correct Answer: A