Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Free Resources

Difficulty IndexLearn — Free ChaptersIT GlossaryFree Tools & LabsStudy GuidesCareer RoadmapsBrowse by VendorCisco Command ReferenceCCNA Scenarios

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsCISSPDomainsIdentity and Access Management
CISSPFree — No Signup

Identity and Access Management

Practice CISSP Identity and Access Management questions with full explanations on every answer.

60questions

Start practicing

Identity and Access Management — choose a session length

10 questions~10 min20 questions~20 min30 questions~30 min50 questions~50 min

Free · No account required

CISSP Domains

Security and Risk ManagementAsset SecuritySecurity OperationsSecurity Architecture and EngineeringCommunication and Network SecuritySecurity Assessment and TestingSoftware Development SecurityIdentity and Access Management

Practice Identity and Access Management questions

10Q20Q30Q50Q

All CISSP Identity and Access Management questions (60)

Start session

Click any question to see the full explanation and answer options, or start a focused practice session above.

1

Which authentication factor type is a smart card?

2

An organization requires users to authenticate with a password and a one-time code sent to their mobile phone. This is an example of which authentication method?

3

In Kerberos authentication, which component issues a Ticket Granting Ticket (TGT) after verifying the user's credentials?

4

An attacker who has compromised the Kerberos Key Distribution Center (KDC) could forge a Ticket Granting Ticket (TGT) to impersonate any user. This type of attack is known as:

5

Which statement about SAML 2.0 is correct?

6

Which OAuth 2.0 grant type is recommended for a public client (e.g., single-page application) that cannot securely store a client secret?

7

OpenID Connect (OIDC) extends OAuth 2.0 primarily by adding which capability?

8

An organization is implementing identity management and wants to ensure that when an employee leaves, all access is promptly revoked. Which process is most directly responsible for removing accounts and access rights for a leaver?

9

A security analyst is reviewing access rights and discovers an active account belonging to a former employee who left six months ago. This is an example of:

10

In a Privileged Access Management (PAM) solution, which feature provides temporary elevation of privileges for specific tasks, reducing the risk of standing privileges?

11

In LDAP, what does the Distinguished Name (DN) uniquely identify?

12

Which access control model allows the owner of a resource to determine who can access it and what permissions they have?

13

A security policy requires that a user cannot have both the ability to create purchase orders and approve invoices. This is an example of:

14

A security architect is designing a Single Sign-On (SSO) solution for a web application that needs to support authentication and authorization. Which TWO of the following protocols are best suited for this purpose? (Select TWO)

15

An organization is implementing Privileged Access Management (PAM). Which THREE of the following are common features of a PAM solution? (Select THREE)

16

Which of the following is an example of a Type 2 authentication factor?

17

A security administrator is configuring a system that requires users to provide a password and a one-time code from a hardware token. Which authentication method is being implemented?

18

In Kerberos, which component issues ticket-granting tickets (TGTs) after verifying the user's credentials?

19

An attacker has obtained a Kerberos TGT and uses it to request service tickets for any resource in the domain. Which type of attack is this?

20

Which protocol is specifically designed for authorization and not authentication, often using grant types like authorization code and client credentials?

21

In an OAuth 2.0 authorization code flow with PKCE, what is the primary purpose of the code verifier and code challenge?

22

An organization wants to implement single sign-on across multiple web applications using an XML-based protocol that supports identity provider (IdP) and service provider (SP) initiated flows. Which technology should they choose?

23

An employee leaves the company, and their user account is not disabled. This creates a security risk known as:

24

Which principle ensures that a user is granted only the permissions necessary to perform their job functions?

25

A company implements a policy requiring two different employees to approve a payment transaction. This is an example of:

26

An organization wants to provide just-in-time administrative access to servers, with session recording and password vaulting. Which solution is best suited?

27

An LDAP distinguished name (DN) includes the attribute 'CN=John Doe,OU=Sales,DC=company,DC=com'. What does 'CN' stand for?

28

Which access control model bases decisions on attributes of the user, resource, and environment, and can use Boolean logic to define policies?

29

A security analyst is reviewing access controls for a financial application. Which TWO of the following are considered best practices for preventing fraud? (Select TWO.)

30

An organization is implementing a Privileged Access Management (PAM) solution. Which THREE of the following are common features of PAM? (Select THREE.)

31

Which of the following is an example of a Type 1 authentication factor?

32

In Kerberos authentication, what is the purpose of the Ticket Granting Ticket (TGT)?

33

A security analyst discovers that an attacker has gained domain admin privileges by forging a Kerberos TGT using the KRBTGT account hash. Which attack has occurred?

34

In SAML 2.0, which component is responsible for authenticating the user and generating an assertion?

35

An organization wants to enable single sign-on (SSO) across multiple web applications using an XML-based protocol that supports browser redirect flows. Which technology is most appropriate?

36

In OAuth 2.0, which grant type is recommended for a native mobile application that cannot securely store a client secret, and uses PKCE?

37

Which of the following is a process that ensures users periodically confirm they still need access to systems and data?

38

A financial application requires two employees to authorize a wire transfer. Which principle does this implement?

39

An organization implements Privileged Access Management (PAM) and wants to reduce the risk of standing privileges. Which approach grants temporary elevated access only when needed?

40

In LDAP, which attribute uniquely identifies an entry within the directory information tree?

41

Which access control model assigns permissions based on a user's job function?

42

An organization uses Active Directory and needs to enforce password complexity settings for all users in a specific department. What is the most efficient way to achieve this?

43

A security administrator is reviewing potential risks associated with orphaned accounts. Which TWO of the following are risks of orphaned accounts?

44

Which THREE of the following are components of a Privileged Access Management (PAM) solution?

45

Which TWO of the following are differences between OAuth 2.0 and OpenID Connect (OIDC)?

46

Which of the following is an example of a Type 2 authentication factor?

47

A security architect is designing an authentication system for a healthcare application that requires strong security. The system will use a password and a one-time passcode sent via SMS. How many authentication factor types are being used?

48

During a Kerberos authentication process, the client receives a Ticket Granting Ticket (TGT) from the Authentication Server (AS). Later, the client presents the TGT to the Ticket Granting Server (TGS) to request a service ticket. Which of the following best describes the purpose of the TGT?

49

An organization implements Single Sign-On (SSO) using SAML 2.0. A user attempts to access a cloud application (Service Provider) but is not authenticated. The Service Provider redirects the user to the Identity Provider (IdP) for authentication. Which type of SAML flow is this?

50

A developer is implementing OAuth 2.0 for a mobile app (public client) that needs to access a user's data from a third-party API. To mitigate the authorization code interception attack, which OAuth 2.0 extension should be used?

51

Which of the following access control models allows the data owner to decide who can access their resources?

52

A financial institution requires that no single employee can approve a transaction and also reconcile the account. This is an example of which security principle?

53

Which of the following is a lightweight directory access protocol used for accessing and maintaining distributed directory information?

54

An organization discovers that a former employee's account is still active and has been used to access sensitive data. This is an example of which type of risk?

55

Which TWO of the following are characteristics of a Privileged Access Management (PAM) solution? (Choose two.)

56

Which TWO of the following are OAuth 2.0 grant types? (Choose two.)

57

A security analyst is performing an access review. Which THREE of the following are best practices for user access recertification? (Choose three.)

58

In the context of identity management, which TWO of the following are risks associated with orphaned accounts? (Choose two.)

59

An organization is implementing OpenID Connect (OIDC) for authentication. Which THREE of the following are components of OIDC? (Choose three.)

60

Which TWO of the following are examples of Type 3 authentication factors? (Choose two.)

Practice all 60 Identity and Access Management questions

Other CISSP exam domains

Security and Risk ManagementAsset SecuritySecurity OperationsSecurity Architecture and EngineeringCommunication and Network SecuritySecurity Assessment and TestingSoftware Development Security

Frequently asked questions

What does the Identity and Access Management domain cover on the CISSP exam?

The Identity and Access Management domain covers the key concepts tested in this area of the CISSP exam blueprint published by ISC2. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all CISSP domains — no account required.

How many Identity and Access Management questions are in the CISSP question bank?

The Courseiva CISSP question bank contains 60 questions in the Identity and Access Management domain. Click any question to see the full explanation and answer breakdown.

What is the best way to practice Identity and Access Management for CISSP?

Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.

Can I practice only Identity and Access Management questions for CISSP?

Yes — the session launcher on this page draws questions exclusively from the Identity and Access Management domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.

Free forever · No credit card required

Track your CISSP domain progress

Save your results, see per-domain analytics, and get readiness scores — free, for every certification.

Sign Up Free

Free forever · Every certification included

Practice Session

10 questions20 questions30 questions50 questions

Study Resources

All DomainsPractice TestMock ExamFlashcardsStudy Guide

Related Exams

CCCCSPCAS-004CISM