Practice CISSP Identity and Access Management questions with full explanations on every answer.
Start practicing
Identity and Access Management — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
Which authentication factor type is a smart card?
2An organization requires users to authenticate with a password and a one-time code sent to their mobile phone. This is an example of which authentication method?
3In Kerberos authentication, which component issues a Ticket Granting Ticket (TGT) after verifying the user's credentials?
4An attacker who has compromised the Kerberos Key Distribution Center (KDC) could forge a Ticket Granting Ticket (TGT) to impersonate any user. This type of attack is known as:
5Which statement about SAML 2.0 is correct?
6Which OAuth 2.0 grant type is recommended for a public client (e.g., single-page application) that cannot securely store a client secret?
7OpenID Connect (OIDC) extends OAuth 2.0 primarily by adding which capability?
8An organization is implementing identity management and wants to ensure that when an employee leaves, all access is promptly revoked. Which process is most directly responsible for removing accounts and access rights for a leaver?
9A security analyst is reviewing access rights and discovers an active account belonging to a former employee who left six months ago. This is an example of:
10In a Privileged Access Management (PAM) solution, which feature provides temporary elevation of privileges for specific tasks, reducing the risk of standing privileges?
11In LDAP, what does the Distinguished Name (DN) uniquely identify?
12Which access control model allows the owner of a resource to determine who can access it and what permissions they have?
13A security policy requires that a user cannot have both the ability to create purchase orders and approve invoices. This is an example of:
14A security architect is designing a Single Sign-On (SSO) solution for a web application that needs to support authentication and authorization. Which TWO of the following protocols are best suited for this purpose? (Select TWO)
15An organization is implementing Privileged Access Management (PAM). Which THREE of the following are common features of a PAM solution? (Select THREE)
16Which of the following is an example of a Type 2 authentication factor?
17A security administrator is configuring a system that requires users to provide a password and a one-time code from a hardware token. Which authentication method is being implemented?
18In Kerberos, which component issues ticket-granting tickets (TGTs) after verifying the user's credentials?
19An attacker has obtained a Kerberos TGT and uses it to request service tickets for any resource in the domain. Which type of attack is this?
20Which protocol is specifically designed for authorization and not authentication, often using grant types like authorization code and client credentials?
21In an OAuth 2.0 authorization code flow with PKCE, what is the primary purpose of the code verifier and code challenge?
22An organization wants to implement single sign-on across multiple web applications using an XML-based protocol that supports identity provider (IdP) and service provider (SP) initiated flows. Which technology should they choose?
23An employee leaves the company, and their user account is not disabled. This creates a security risk known as:
24Which principle ensures that a user is granted only the permissions necessary to perform their job functions?
25A company implements a policy requiring two different employees to approve a payment transaction. This is an example of:
26An organization wants to provide just-in-time administrative access to servers, with session recording and password vaulting. Which solution is best suited?
27An LDAP distinguished name (DN) includes the attribute 'CN=John Doe,OU=Sales,DC=company,DC=com'. What does 'CN' stand for?
28Which access control model bases decisions on attributes of the user, resource, and environment, and can use Boolean logic to define policies?
29A security analyst is reviewing access controls for a financial application. Which TWO of the following are considered best practices for preventing fraud? (Select TWO.)
30An organization is implementing a Privileged Access Management (PAM) solution. Which THREE of the following are common features of PAM? (Select THREE.)
31Which of the following is an example of a Type 1 authentication factor?
32In Kerberos authentication, what is the purpose of the Ticket Granting Ticket (TGT)?
33A security analyst discovers that an attacker has gained domain admin privileges by forging a Kerberos TGT using the KRBTGT account hash. Which attack has occurred?
34In SAML 2.0, which component is responsible for authenticating the user and generating an assertion?
35An organization wants to enable single sign-on (SSO) across multiple web applications using an XML-based protocol that supports browser redirect flows. Which technology is most appropriate?
36In OAuth 2.0, which grant type is recommended for a native mobile application that cannot securely store a client secret, and uses PKCE?
37Which of the following is a process that ensures users periodically confirm they still need access to systems and data?
38A financial application requires two employees to authorize a wire transfer. Which principle does this implement?
39An organization implements Privileged Access Management (PAM) and wants to reduce the risk of standing privileges. Which approach grants temporary elevated access only when needed?
40In LDAP, which attribute uniquely identifies an entry within the directory information tree?
41Which access control model assigns permissions based on a user's job function?
42An organization uses Active Directory and needs to enforce password complexity settings for all users in a specific department. What is the most efficient way to achieve this?
43A security administrator is reviewing potential risks associated with orphaned accounts. Which TWO of the following are risks of orphaned accounts?
44Which THREE of the following are components of a Privileged Access Management (PAM) solution?
45Which TWO of the following are differences between OAuth 2.0 and OpenID Connect (OIDC)?
46Which of the following is an example of a Type 2 authentication factor?
47A security architect is designing an authentication system for a healthcare application that requires strong security. The system will use a password and a one-time passcode sent via SMS. How many authentication factor types are being used?
48During a Kerberos authentication process, the client receives a Ticket Granting Ticket (TGT) from the Authentication Server (AS). Later, the client presents the TGT to the Ticket Granting Server (TGS) to request a service ticket. Which of the following best describes the purpose of the TGT?
49An organization implements Single Sign-On (SSO) using SAML 2.0. A user attempts to access a cloud application (Service Provider) but is not authenticated. The Service Provider redirects the user to the Identity Provider (IdP) for authentication. Which type of SAML flow is this?
50A developer is implementing OAuth 2.0 for a mobile app (public client) that needs to access a user's data from a third-party API. To mitigate the authorization code interception attack, which OAuth 2.0 extension should be used?
51Which of the following access control models allows the data owner to decide who can access their resources?
52A financial institution requires that no single employee can approve a transaction and also reconcile the account. This is an example of which security principle?
53Which of the following is a lightweight directory access protocol used for accessing and maintaining distributed directory information?
54An organization discovers that a former employee's account is still active and has been used to access sensitive data. This is an example of which type of risk?
55Which TWO of the following are characteristics of a Privileged Access Management (PAM) solution? (Choose two.)
56Which TWO of the following are OAuth 2.0 grant types? (Choose two.)
57A security analyst is performing an access review. Which THREE of the following are best practices for user access recertification? (Choose three.)
58In the context of identity management, which TWO of the following are risks associated with orphaned accounts? (Choose two.)
59An organization is implementing OpenID Connect (OIDC) for authentication. Which THREE of the following are components of OIDC? (Choose three.)
60Which TWO of the following are examples of Type 3 authentication factors? (Choose two.)
The Identity and Access Management domain covers the key concepts tested in this area of the CISSP exam blueprint published by ISC2. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all CISSP domains — no account required.
The Courseiva CISSP question bank contains 60 questions in the Identity and Access Management domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Identity and Access Management domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included